Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5Qq54zuREl.exe

Overview

General Information

Sample Name:5Qq54zuREl.exe
Analysis ID:699572
MD5:ef105c04e69b202408cae62ab05ed460
SHA1:6a4b822478fc7ee87ce9f5d7c4c38eca71c8174b
SHA256:6f03dfd71abd06402371157eac912ffeae7871a6d93b8d2dad3242ae59644fcf
Tags:exe
Infos:

Detection

RedLine
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 5Qq54zuREl.exe (PID: 5212 cmdline: "C:\Users\user\Desktop\5Qq54zuREl.exe" MD5: EF105C04E69B202408CAE62AB05ED460)
    • AppLaunch.exe (PID: 4600 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • WerFault.exe (PID: 5740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 248 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["195.54.170.157:16525"], "Bot Id": "1874386002", "Authorization Header": "1ed306ce33b7f6bc7de430ec8e4d8d9f"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.256351154.00000000009B2000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000003.256351154.00000000009B2000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_3d9371fdunknownunknown
    • 0x13305:$a1: get_encrypted_key
    • 0x129fd:$a2: get_PassedPaths
    • 0x1142a:$a3: ChromeGetLocalName
    • 0x12c08:$a4: GetBrowsers
    • 0x19638:$a5: Software\Valve\SteamLogin Data
    • 0x18ed8:$a6: %appdata%\
    • 0x12722:$a7: ScanPasswords
    00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_3d9371fdunknownunknown
      • 0x13715:$a1: get_encrypted_key
      • 0x12e0d:$a2: get_PassedPaths
      • 0x1183a:$a3: ChromeGetLocalName
      • 0x13018:$a4: GetBrowsers
      • 0x19a48:$a5: Software\Valve\SteamLogin Data
      • 0x192e8:$a6: %appdata%\
      • 0x12b32:$a7: ScanPasswords
      00000000.00000000.260807439.0000000000408000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.AppLaunch.exe.350000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          1.0.AppLaunch.exe.350000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x19ca8:$pat14: , CommandLine:
          • 0x12cce:$v2_1: ListOfProcesses
          • 0x12a8e:$v4_3: base64str
          • 0x136d3:$v4_4: stringKey
          • 0x1123f:$v4_5: BytesToStringConverted
          • 0x1033a:$v4_6: FromBase64
          • 0x117b2:$v4_8: procName
          • 0x11ac8:$v5_1: DownloadAndExecuteUpdate
          • 0x12965:$v5_2: ITaskProcessor
          • 0x11ab6:$v5_3: CommandLineUpdate
          • 0x11aa7:$v5_4: DownloadUpdate
          • 0x11eac:$v5_5: FileScanning
          • 0x11460:$v5_7: RecordHeaderField
          • 0x110c8:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
          1.0.AppLaunch.exe.350000.0.unpackWindows_Trojan_RedLineStealer_3d9371fdunknownunknown
          • 0x13705:$a1: get_encrypted_key
          • 0x12dfd:$a2: get_PassedPaths
          • 0x1182a:$a3: ChromeGetLocalName
          • 0x13008:$a4: GetBrowsers
          • 0x19a38:$a5: Software\Valve\SteamLogin Data
          • 0x192d8:$a6: %appdata%\
          • 0x12b22:$a7: ScanPasswords
          0.3.5Qq54zuREl.exe.9b0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0.3.5Qq54zuREl.exe.9b0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x19ca8:$pat14: , CommandLine:
            • 0x12cce:$v2_1: ListOfProcesses
            • 0x12a8e:$v4_3: base64str
            • 0x136d3:$v4_4: stringKey
            • 0x1123f:$v4_5: BytesToStringConverted
            • 0x1033a:$v4_6: FromBase64
            • 0x117b2:$v4_8: procName
            • 0x11ac8:$v5_1: DownloadAndExecuteUpdate
            • 0x12965:$v5_2: ITaskProcessor
            • 0x11ab6:$v5_3: CommandLineUpdate
            • 0x11aa7:$v5_4: DownloadUpdate
            • 0x11eac:$v5_5: FileScanning
            • 0x11460:$v5_7: RecordHeaderField
            • 0x110c8:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
            Click to see the 13 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: 5Qq54zuREl.exeReversingLabs: Detection: 70%
            Source: 5Qq54zuREl.exeVirustotal: Detection: 55%Perma Link
            Source: 5Qq54zuREl.exeMetadefender: Detection: 44%Perma Link
            Source: 1.0.AppLaunch.exe.350000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["195.54.170.157:16525"], "Bot Id": "1874386002", "Authorization Header": "1ed306ce33b7f6bc7de430ec8e4d8d9f"}
            Source: 5Qq54zuREl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 5Qq54zuREl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbu source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb0} source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \Downloads\NewPublish\udezfxe44vl12u\main.pdb source: 5Qq54zuREl.exe
            Source: Joe Sandbox ViewIP Address: 195.54.170.157 195.54.170.157
            Source: global trafficTCP traffic: 192.168.2.7:49726 -> 195.54.170.157:16525
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
            Source: AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
            Source: 5Qq54zuREl.exe, 5Qq54zuREl.exe, 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000001.00000000.256316488.0000000000352000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.0.AppLaunch.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 1.0.AppLaunch.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.3.5Qq54zuREl.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.3.5Qq54zuREl.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.0.5Qq54zuREl.exe.330000.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.0.5Qq54zuREl.exe.330000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.0.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.0.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.0.5Qq54zuREl.exe.330000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.0.5Qq54zuREl.exe.330000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.2.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.2.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000000.00000003.256351154.00000000009B2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000000.00000000.260807439.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000001.00000000.256316488.0000000000352000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 5Qq54zuREl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1.0.AppLaunch.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 1.0.AppLaunch.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.3.5Qq54zuREl.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.3.5Qq54zuREl.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.0.5Qq54zuREl.exe.330000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.0.5Qq54zuREl.exe.330000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.0.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.0.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.0.5Qq54zuREl.exe.330000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.0.5Qq54zuREl.exe.330000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.2.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.2.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000000.00000003.256351154.00000000009B2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000000.00000000.260807439.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000001.00000000.256316488.0000000000352000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 248
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003AC0700_2_003AC070
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003AF4390_2_003AF439
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_0038410E0_2_0038410E
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_0039829A0_2_0039829A
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CC4B90_2_003CC4B9
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003A8C330_2_003A8C33
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003D12DF0_2_003D12DF
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003D53A20_2_003D53A2
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003D550A0_2_003D550A
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_00381EE00_2_00381EE0
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003963160_2_00396316
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003C24080_2_003C2408
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003965D40_2_003965D4
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_00331CD00_2_00331CD0
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003968A50_2_003968A5
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_00396B630_2_00396B63
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_00396E210_2_00396E21
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003970F20_2_003970F2
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003C32890_2_003C3289
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003973B00_2_003973B0
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003AF4390_2_003AF439
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003AB4600_2_003AB460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_065FEF081_2_065FEF08
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: String function: 003B9CE6 appears 38 times
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: String function: 00332EAA appears 51 times
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: String function: 0033215D appears 38 times
            Source: 5Qq54zuREl.exeBinary or memory string: OriginalFilename vs 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exe, 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFireworms.exe4 vs 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exe, 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameilasm.exeT vs 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exeBinary or memory string: OriginalFilenameilasm.exeT vs 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exeStatic PE information: invalid certificate
            Source: 5Qq54zuREl.exeReversingLabs: Detection: 70%
            Source: 5Qq54zuREl.exeVirustotal: Detection: 55%
            Source: 5Qq54zuREl.exeMetadefender: Detection: 44%
            Source: 5Qq54zuREl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\5Qq54zuREl.exe "C:\Users\user\Desktop\5Qq54zuREl.exe"
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 248
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER68A4.tmpJump to behavior
            Source: classification engineClassification label: mal76.troj.evad.winEXE@4/4@0/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: 0.3.5Qq54zuREl.exe.9b0000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
            Source: 1.0.AppLaunch.exe.350000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5212
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 5Qq54zuREl.exeStatic file information: File size 1067936 > 1048576
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 5Qq54zuREl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbu source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb0} source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \Downloads\NewPublish\udezfxe44vl12u\main.pdb source: 5Qq54zuREl.exe
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003320F4 push ecx; ret 0_2_00379493
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_065FC310 push es; ret 1_2_065FC327
            Source: 5Qq54zuREl.exeStatic PE information: section name: .00cfg
            Source: 5Qq54zuREl.exeStatic PE information: real checksum: 0x10b200 should be: 0x109448
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeAPI coverage: 2.0 %
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_00331CD0 FindWindowW,GetWindowDC,GetForegroundWindow,GetCurrentProcess,FindWindowA,FindWindowW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,GetSystemInfo,KiUserExceptionDispatcher,FindWindowA,GetWindowDC,GetForegroundWindow,GetWindowDC,SetConsoleTitleA,GetCurrentProcess,GetForegroundWindow,FindWindowW,GetCurrentProcessId,GetCurrentProcess,GetCurrentProcessId,FindWindowA,SetConsoleTitleA,SetConsoleTitleA,GetForegroundWindow,GetWindowDC,FindWindowA,SetConsoleTitleA,SetConsoleTitleA,FindWindowW,GetWindowDC,SetConsoleTitleA,FindWindowW,GetCurrentProcessId,GetCurrentProcess,SetConsoleTitleA,SetConsoleTitleA,FindWindowA,GetForegroundWindow,SetConsoleTitleA,GetCurrentProcess,FindWindowW,GetWindowDC,FindWindowA,GetForegroundWindow,FindWindowW,GetForegroundWindow,GetCurrentProcess,GetCurrentProcessId,GetCurrentProcessId,SetConsoleTitleA,GetCurrentProcessId,GetForegroundWindow,GetWindowDC,GetForegroundWindow,SetConsoleTitleA,FindWindowA,FindWindowW,GetCurrentProcessId,GetCurrentProcess,FindWindowW,SetConsoleTitleA,GetCurrentProcess,SetConsoleTitleA,FindWindowW,GetCurrentProcessId,GetForegroundWindow,FindWindowW,GetWindowDC,GetCurrentProcessId,GetForegroundWindow,FindWindowW,GetCurrentProcessId,FindWindowW,GetCurrentProcess,FindWindowW,FindWindowA,FindWindowW,GetCurrentProcessId,SetConsoleTitleA,FindWindowW,GetCurrentProcess,GetCurrentProcess,FindWindowW,GetCurrentProcess,FindWindowW,SetConsoleTitleA,FindWindowW,GetCurrentProcess,FindWindowW,GetCurrentProcess,GetCurrentProcess,FindWindowW,GetCurrentProcess,SetConsoleTitleA,GetWindowDC,GetWindowDC,GetCurrentProcess,FindWindowW,GetWindowDC,GetForegroundWindow,GetWindowDC,GetForegroundWindow,SetConsoleTitleA,GetCurrentProcessId,FindWindowA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,SetConsoleTitleA,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcess,GetForegroundWindow,SetConsoleTitleA,GetForegroundWindow,GetCurrentProcessId,SetConsoleTitleA,GetCurrentProcessId,GetWindowDC,GetForegroundWindow,GetCurrentProcessId,GetForegroundWindow,GetWindowDC,FindWindowA,GetCurrentProcessId,SetConsoleTitleA,GetCurrentProcessId,GetCurrentProcessId,SetConsoleTitleA,FindWindowA,GetCurrentProcessId,FindWindowA,SetConsoleTitleA,GetForegroundWindow,FindWindowA,GetCurrentProcessId,GetCurrentProcess,FindWindowA,GetWindowDC,GetCurrentProcess,GetWindowDC,FindWindowA,SetConsoleTitleA,FindWindowW,GetCurrentProcessId,GetWindowDC,GetCurrentProcess,GetForegroundWindow,FindWindowA,FindWindowW,SetConsoleTitleA,FindWindowA,GetWindowDC,GetCurrentProcessId,FindWindowA,FindWindowW,GetCurrentProcessId,SetConsoleTitleA,SetConsoleTitleA,GetCurrentProcess,GetCurrentProcessId,SetConsoleTitleA,GetCurrentProcess,GetCurrentProcess,GetWindowDC,GetForegroundWindow,GetCurrentProcess,FindWindowW,SetConsoleTitleA,GetCurrentProcessId,FindWindowA,GetForegroundWindow,GetCurrentProcessId,GetCurrentProcess,FindWindowW,SetConsoleTitleA,GetWindowDC,FindWindowA,SetConsoleTitleA,GetCurrentProcessId,GetWindowDC,FindWindowA,FindWindow0_2_00331CD0
            Source: AppLaunch.exe, 00000001.00000002.525773888.00000000008A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_0037912A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0037912A
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CA13B mov eax, dword ptr fs:[00000030h]0_2_003CA13B
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CA18E mov eax, dword ptr fs:[00000030h]0_2_003CA18E
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CA1E1 mov eax, dword ptr fs:[00000030h]0_2_003CA1E1
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CA252 mov eax, dword ptr fs:[00000030h]0_2_003CA252
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CA345 mov eax, dword ptr fs:[00000030h]0_2_003CA345
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CA39A mov eax, dword ptr fs:[00000030h]0_2_003CA39A
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CA3EF mov eax, dword ptr fs:[00000030h]0_2_003CA3EF
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003CA42C mov eax, dword ptr fs:[00000030h]0_2_003CA42C
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_00422D5C mov eax, dword ptr fs:[00000030h]0_2_00422D5C
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003B3422 mov eax, dword ptr fs:[00000030h]0_2_003B3422
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003421E0 FindWindowW,GetForegroundWindow,GetWindowDC,LdrInitializeThunk,VirtualAlloc,LdrInitializeThunk,LdrInitializeThunk,0_2_003421E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_0037912A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0037912A
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003794E6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003794E6
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_0038A244 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0038A244

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 350000Jump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4A1008Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 350000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 350000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_003CCBB1
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: EnumSystemLocalesW,0_2_003CCEFA
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: EnumSystemLocalesW,0_2_003CCF7C
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: EnumSystemLocalesW,0_2_003CD03D
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_003CD0EA
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: GetLocaleInfoW,0_2_003CD3D1
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_003CD540
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: EnumSystemLocalesW,0_2_003B9582
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: GetLocaleInfoW,0_2_003CD687
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: EnumSystemLocalesW,0_2_003B9771
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_003CD789
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: GetLocaleInfoW,0_2_003BA2C7
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_003798BB cpuid 0_2_003798BB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_00378FC2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00378FC2

            Stealing of Sensitive Information

            barindex
            Yara detected RedLine Stealer
            Source: Yara matchFile source: 1.0.AppLaunch.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.5Qq54zuREl.exe.9b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.330000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.330000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000003.256351154.00000000009B2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.260807439.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.256316488.0000000000352000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 5Qq54zuREl.exe PID: 5212, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 4600, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RedLine Stealer
            Source: Yara matchFile source: 1.0.AppLaunch.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.5Qq54zuREl.exe.9b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.330000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.330000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.5Qq54zuREl.exe.330000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000003.256351154.00000000009B2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.260807439.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.256316488.0000000000352000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 5Qq54zuREl.exe PID: 5212, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 4600, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath Interception311
            Process Injection            		1
            Virtualization/Sandbox Evasion            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory21
            Security Software Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)311
            Process Injection            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Deobfuscate/Decode Files or Information            		NTDS34
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
            Obfuscated Files or Information            		LSA Secrets1
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            5Qq54zuREl.exe70%ReversingLabsWin32.Trojan.Smokeloader
            5Qq54zuREl.exe56%VirustotalBrowse
            5Qq54zuREl.exe44%MetadefenderBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.0.AppLaunch.exe.350000.0.unpack100%AviraHEUR/AGEN.1251247Download File
            0.3.5Qq54zuREl.exe.9b0000.0.unpack100%AviraHEUR/AGEN.1251247Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
            http://tempuri.org/0%URL Reputationsafe
            http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id90%URL Reputationsafe
            http://tempuri.org/Entity/Id90%URL Reputationsafe
            http://tempuri.org/Entity/Id80%URL Reputationsafe
            http://tempuri.org/Entity/Id50%URL Reputationsafe
            http://tempuri.org/Entity/Id23Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id40%URL Reputationsafe
            http://tempuri.org/Entity/Id70%URL Reputationsafe
            http://tempuri.org/Entity/Id70%URL Reputationsafe
            http://tempuri.org/Entity/Id60%URL Reputationsafe
            http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id17Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id17Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id20Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id20Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id13Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id4Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
            https://api.ip.sb/ip0%URL Reputationsafe
            http://tempuri.org/Entity/Id7Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id11Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id200%URL Reputationsafe
            http://tempuri.org/Entity/Id200%URL Reputationsafe
            http://tempuri.org/Entity/Id22Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id210%URL Reputationsafe
            http://tempuri.org/Entity/Id220%URL Reputationsafe
            http://tempuri.org/Entity/Id230%URL Reputationsafe
            http://tempuri.org/Entity/Id240%URL Reputationsafe
            http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id10%URL Reputationsafe
            http://tempuri.org/Entity/Id30%URL Reputationsafe
            http://tempuri.org/Entity/Id20%URL Reputationsafe
            http://tempuri.org/Entity/Id18Response0%URL Reputationsafe
            http://tempuri.org/Entity/0%URL Reputationsafe
            http://tempuri.org/Entity/0%URL Reputationsafe
            http://tempuri.org/Entity/Id3Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id100%URL Reputationsafe
            http://tempuri.org/Entity/Id110%URL Reputationsafe
            http://tempuri.org/Entity/Id120%URL Reputationsafe
            http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id130%URL Reputationsafe
            http://tempuri.org/Entity/Id140%URL Reputationsafe
            http://tempuri.org/Entity/Id150%URL Reputationsafe
            http://tempuri.org/Entity/Id160%URL Reputationsafe
            http://tempuri.org/Entity/Id170%URL Reputationsafe
            http://tempuri.org/Entity/Id180%URL Reputationsafe
            http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id190%URL Reputationsafe
            http://tempuri.org/Entity/Id14Response0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultLAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://tempuri.org/AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id9AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id8AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id5AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id23ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id4AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id7AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id6AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://tempuri.org/Entity/Id17ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://tempuri.org/Entity/Id20ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id13ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id4ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ip.sb/ip5Qq54zuREl.exe, 5Qq54zuREl.exe, 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000001.00000000.256316488.0000000000352000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id7ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id11ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id20AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id22ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id21AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id22AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id23AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id24AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id24ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id1AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/Id3AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/Id2AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/Id18ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id3ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/rmAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id10AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/Entity/Id11AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id13AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id14AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id15AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id16AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id17AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id18AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id19AppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/actor/nextAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id14ResponseAppLaunch.exe, 00000001.00000002.528075908.0000000006851000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        195.54.170.157
                                        		unknownunknown
                                        		51171VALICOM-ASPTfalse

                                        General Information

                                        Joe Sandbox Version:36.0.0 Rainbow Opal
                                        Analysis ID:699572
                                        Start date and time:2022-09-08 12:46:15 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 29s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:5Qq54zuREl.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:22
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal76.troj.evad.winEXE@4/4@0/1
                                        EGA Information:
                                        • Successful, ratio: 50%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 93%
                                        • Number of executed functions: 80
                                        • Number of non-executed functions: 56
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Adjust boot time
                                        • Enable AMSI

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, eudb.ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                        • Execution Graph export aborted for target AppLaunch.exe, PID 4600 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        12:47:27API Interceptor1x Sleep call for process: WerFault.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        195.54.170.157file.exeGet hashmaliciousBrowse
                                          q1wLT3xKiY.exeGet hashmaliciousBrowse
                                            9n6ctoq7cn.exeGet hashmaliciousBrowse
                                              xZ4q0nNSPX.exeGet hashmaliciousBrowse
                                                9n6ctoq7cn.exeGet hashmaliciousBrowse
                                                  WSkT8d093C.exeGet hashmaliciousBrowse
                                                    em1B8DcC72.exeGet hashmaliciousBrowse
                                                      JMDc707Z03.exeGet hashmaliciousBrowse
                                                        22nuoItfxs.exeGet hashmaliciousBrowse
                                                          l5Pmw9b4cO.exeGet hashmaliciousBrowse
                                                            FgHKF9V3FB.exeGet hashmaliciousBrowse
                                                              2JxF8anOVP.exeGet hashmaliciousBrowse

                                                                Domains

                                                                No context

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                VALICOM-ASPTfile.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                q1wLT3xKiY.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                9n6ctoq7cn.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                xZ4q0nNSPX.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                9n6ctoq7cn.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                WSkT8d093C.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                em1B8DcC72.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                JMDc707Z03.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                22nuoItfxs.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                l5Pmw9b4cO.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                FgHKF9V3FB.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                2JxF8anOVP.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5Qq54zuREl.exe_ad444e31a63ed4502d742138c040b535e1282413_33363eb9_1607790f\Report.wer

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):65536
                                                                Entropy (8bit):0.6957027808479201
                                                                Encrypted:false
                                                                SSDEEP:96:fPF+0GIAEfZgySlFxoI7Ry6tpXIQcQvc6QcEDMcw3DpBz+HbHg/8BRTf3OyWZAXD:H2NExgygHBUZMXYjuq/u7sAbS274ItW
                                                                MD5:08DBAB4BB38C9099862E9CEDC380FC3F
                                                                SHA1:DCD75B116EAB1E98A081348D0761D4AE8FDA7E41
                                                                SHA-256:346E1039C3E21F7B783DEB964C84BE2D0B6166D095865C049D12C6467D61903F
                                                                SHA-512:DCE8A656CC14AA965FA5F1FC0232DB0A17F6D64DD554DE9CAE7F37AD86EC9D76CD358B416CC1721200DF5270755D98F55ACBA533F072760B74BCB9419058C026
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.7.1.4.0.0.4.3.0.4.8.5.6.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.7.1.4.0.0.4.5.1.5.7.9.0.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.7.1.8.d.a.6.-.4.6.2.6.-.4.c.3.1.-.9.3.3.d.-.d.e.2.6.1.0.6.a.8.2.c.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.c.7.e.d.1.3.-.7.1.a.2.-.4.6.d.8.-.9.6.f.1.-.6.0.9.3.b.6.0.6.7.0.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.Q.q.5.4.z.u.R.E.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.i.l.a.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.c.-.0.0.0.1.-.0.0.1.a.-.7.c.2.5.-.c.c.c.c.b.b.c.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.c.1.b.e.e.9.7.6.6.0.4.c.6.f.e.9.0.9.5.d.c.0.e.8.7.f.3.b.5.2.0.0.0.0.0.0.9.0.4.!.0.0.0.0.6.a.4.b.8.2.2.4.7.8.f.c.7.e.e.8.7.c.e.9.f.5.d.7.c.4.c.3.8.e.c.a.7.1.c.8.1.7.4.b.!.5.Q.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER68A4.tmp.dmp

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:Mini DuMP crash report, 14 streams, Thu Sep 8 19:47:23 2022, 0x1205a4 type
                                                                Category:dropped
                                                                Size (bytes):34488
                                                                Entropy (8bit):1.7560256446285285
                                                                Encrypted:false
                                                                SSDEEP:96:5u8t8M/DpSbJRRFtRbi7o6Qp6gNQYfB0c7A3Juf4tRngOCJ/qU2WI3WI84IvJvx7:vhDpSbvpRbOK3QeA0yRgOqHJvxKyv
                                                                MD5:D81B7B9F0DED01079872B02DBC1F1615
                                                                SHA1:6F9B8B247DC57952D48AB69816B32C9BD728A936
                                                                SHA-256:1DEE6AEE89529C9C8A4A92252FFFFD336299D3AB44D0A2F70B0BA5BC8E025073
                                                                SHA-512:F1A69EB6C4D6BC499594DCA39F5DA33CA790FE96BF3241D62646BBAEA197D7B2B3508F0F5638415C7C4B98CA799416B897B9E8C6E5D9C3752D003AFA648C4090
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:MDMP....... ........F.c....................................................T.......8...........T...........`...X|...........................................................................................U...........B......4.......GenuineIntelW...........T.......\....F.c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B07.tmp.WERInternalMetadata.xml

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):8398
                                                                Entropy (8bit):3.702788453124229
                                                                Encrypted:false
                                                                SSDEEP:192:Rrl7r3GLNiNM6SJq6YAASUDb7GgmfLSkOCprh89bjBsflBm:RrlsNim6SJq6YHSUD2gmfLSkYj6f6
                                                                MD5:E3B8A6E44D52C878B322CFD8CB3516B7
                                                                SHA1:67D8276C102AB313FD862ECB1DE761CD1D70CFC8
                                                                SHA-256:0AC4310535EF991F2CB5FBDC76267672244834A9B8EA8CA21161C024F2F22B11
                                                                SHA-512:7E46DDDD92295933F81DF6481565A5471B57620EFD90FB096956617680A30F8D900A62DBBC12ECF8E4DD31FB516E46B3EBA1B031628C7F5422B178D355FCE75E
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.1.2.<./.P.i.d.>.......

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C30.tmp.xml

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):4775
                                                                Entropy (8bit):4.496363110881563
                                                                Encrypted:false
                                                                SSDEEP:48:cvIwSD8zsbJgtWI9B/hWgc8sqYjLX8fm8M4J0/MF6oP+q8vP/j33wAO2nbnord:uITf1E/wgrsqY/8JmJoPK3jwAdnbnord
                                                                MD5:92BC3B43E3EED0AB30EB0695AAD04C3C
                                                                SHA1:30ED01F3EEF90B6743A17184460BAC8BFE6AEC3C
                                                                SHA-256:299D516A5BE92DAF64A8C81589B55C5481C89FB2FF8F9B63F4EBF9283597A3A5
                                                                SHA-512:29D1342B67C516D091D3EC638130BA293AED77EBBCD7A9197FFCC76E682777CF6595D80694737250124DD1210EE68FE9295BDEED320D14F9488E58AC80A79596
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1683658" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):6.146529475476847
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:5Qq54zuREl.exe
                                                                File size:1067936
                                                                MD5:ef105c04e69b202408cae62ab05ed460
                                                                SHA1:6a4b822478fc7ee87ce9f5d7c4c38eca71c8174b
                                                                SHA256:6f03dfd71abd06402371157eac912ffeae7871a6d93b8d2dad3242ae59644fcf
                                                                SHA512:fe456bfda4a970157a24ac751f432dc132cf87c74548d02a1ab38b812a70049a739066719626ab54b834f8ed9b72a22bccd284cbc365356f5960c57d134f32c2
                                                                SSDEEP:24576:HjXF6TsrGZj7bU1vosbtXqf9O1iMb+g/9IJ:H56Fj7bU1vFMY7b+o9IJ
                                                                TLSH:0135AF1179D08133EDE320FB06EDB5A2022DE8B10B2149DF66D6D7EEB6B06C16E32557
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!...!...!...J...!...J..D!...J...!...[...!...[...!...J...!...!...!...[...!...[...!...[Z..!...[...!..Rich.!.................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4011ae
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x630A7006 [Sat Aug 27 19:27:02 2022 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:48c28d9f3783f0e32815b0b4c57a60a9

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                Error Number:-2146869232
                                                                Not Before, Not After
                                                                • 5/12/2022 1:47:06 PM 5/11/2023 1:47:06 PM
                                                                Subject Chain
                                                                • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                Version:3
                                                                Thumbprint MD5:EABC613BA6EE76D49AD6FB19EEE33C79
                                                                Thumbprint SHA-1:DE2396BCEB7E3CD13BF3D370424A560F97CABDE7
                                                                Thumbprint SHA-256:9406808DFFD22AF703070F39AEF66208D113859FA99ACC6217A8F879AA56E315
                                                                Serial:33000004916462F3B73EE20CCD000000000491

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp 00007F0EEC75F327h
                                                                jmp 00007F0EEC775A79h
                                                                jmp 00007F0EEC767818h
                                                                jmp 00007F0EEC752284h
                                                                jmp 00007F0EEC742D74h
                                                                jmp 00007F0EEC7B7EC9h
                                                                jmp 00007F0EEC7529E7h
                                                                jmp 00007F0EEC775E1Eh
                                                                jmp 00007F0EEC7BE79Ah
                                                                jmp 00007F0EEC73E316h
                                                                jmp 00007F0EEC760168h
                                                                jmp 00007F0EEC77027Fh
                                                                jmp 00007F0EEC7478C8h
                                                                jmp 00007F0EEC77121Eh
                                                                jmp 00007F0EEC73EFD7h
                                                                jmp 00007F0EEC73D978h
                                                                jmp 00007F0EEC7ABA30h
                                                                jmp 00007F0EEC72791Dh
                                                                jmp 00007F0EEC784678h
                                                                jmp 00007F0EEC74F111h
                                                                jmp 00007F0EEC7782A1h
                                                                jmp 00007F0EEC75A131h
                                                                jmp 00007F0EEC7683F5h
                                                                jmp 00007F0EEC72890Fh
                                                                jmp 00007F0EEC7A3CB5h
                                                                jmp 00007F0EEC77F44Eh
                                                                jmp 00007F0EEC7BB65Dh
                                                                jmp 00007F0EEC776364h
                                                                jmp 00007F0EEC745500h
                                                                jmp 00007F0EEC760831h
                                                                jmp 00007F0EEC7711DFh
                                                                jmp 00007F0EEC7B45E2h
                                                                jmp 00007F0EEC7A12D7h
                                                                jmp 00007F0EEC79CE61h
                                                                jmp 00007F0EEC747EE9h
                                                                jmp 00007F0EEC76830Ah
                                                                jmp 00007F0EEC77794Ah
                                                                jmp 00007F0EEC777931h
                                                                jmp 00007F0EEC75E777h
                                                                jmp 00007F0EEC758657h

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xfd2180x3c.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xff0000x605.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x1026000x25a0.reloc
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000x69d4.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xce7600x38.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xce6780x40.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0xfd0000x218.idata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000xb0b2b0xb0c00False0.36263757514144274data5.8878105771850295IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0xb20000x254d50x25600False0.38322402801003347data4.193927675726189IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xd80000x248780x22e00False0.42548023073476704data6.188480329689431IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .idata0xfd0000xd140xe00False0.33816964285714285data4.526245588273773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .00cfg0xfe0000x10e0x200False0.03515625data0.11055713125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0xff0000x6050x800False0.3505859375data3.354229781377713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x1000000x79540x7a00False0.6572105532786885data6.288367235843316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xff0a00x3e8dataEnglishUnited States
                                                                RT_MANIFEST0xff4880x17dXML 1.0 document textEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                USER32.dllFindWindowW, FindWindowA, GetWindowDC, GetForegroundWindow
                                                                KERNEL32.dllFreeLibrary, CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, GetCurrentProcess, GetCurrentProcessId, GetSystemInfo, VirtualAlloc, SetConsoleTitleA, FormatMessageA, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LocalFree, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetLocaleInfoEx, GetStringTypeW, CompareStringEx, GetCPInfo, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, TerminateProcess, SetEnvironmentVariableW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, WriteConsoleW, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapFree, HeapAlloc, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, SetConsoleCtrlHandler, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 8, 2022 12:47:39.435297966 CEST4972616525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:47:42.486813068 CEST4972616525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:47:48.487292051 CEST4972616525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:48:05.774568081 CEST4973916525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:48:08.910896063 CEST4973916525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:48:14.911395073 CEST4973916525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:48:31.931972980 CEST4974416525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:48:34.944400072 CEST4974416525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:48:40.960525036 CEST4974416525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:48:57.996768951 CEST4978116525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:49:01.009143114 CEST4978116525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:49:07.025223017 CEST4978116525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:49:24.263010025 CEST4980416525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:49:27.276961088 CEST4980416525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:49:33.277445078 CEST4980416525192.168.2.7195.54.170.157
                                                                Sep 8, 2022 12:49:50.296199083 CEST4980616525192.168.2.7195.54.170.157

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:12:47:17
                                                                Start date:08/09/2022
                                                                Path:C:\Users\user\Desktop\5Qq54zuREl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\5Qq54zuREl.exe"
                                                                Imagebase:0x330000
                                                                File size:1067936 bytes
                                                                MD5 hash:EF105C04E69B202408CAE62AB05ED460
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.256351154.00000000009B2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000003.256351154.00000000009B2000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000000.262540622.0000000000408000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.260807439.0000000000408000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000000.260807439.0000000000408000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
                                                                Reputation:low

                                                                General

                                                                Target ID:1
                                                                Start time:12:47:17
                                                                Start date:08/09/2022
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                Imagebase:0xce0000
                                                                File size:98912 bytes
                                                                MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.256316488.0000000000352000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000001.00000000.256316488.0000000000352000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:high

                                                                General

                                                                Target ID:5
                                                                Start time:12:47:22
                                                                Start date:08/09/2022
                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 248
                                                                Imagebase:0xe40000
                                                                File size:434592 bytes
                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:0.6%
                                                                  Dynamic/Decrypted Code Coverage:45%
                                                                  Signature Coverage:77.1%
                                                                  Total number of Nodes:109
                                                                  Total number of Limit Nodes:12
                                                                  execution_graph 37627 3cdabd 37628 3cdacd 37627->37628 37629 3cdaeb 37627->37629 37628->37629 37631 331767 37628->37631 37631->37628 37632 3bad37 37631->37632 37634 3bad68 37632->37634 37637 3bab73 GetStartupInfoW GetFileType 37632->37637 37634->37628 37635 3bad63 37638 3bac56 GetStdHandle GetFileType 37635->37638 37637->37635 37638->37634 37639 3b94f8 37640 3b9505 37639->37640 37641 3b9530 RtlAllocateHeap 37640->37641 37642 3b9543 37640->37642 37641->37640 37641->37642 37643 3421e0 37644 342204 37643->37644 37645 34221d VirtualAlloc 37644->37645 37646 3c959b GetEnvironmentStringsW 37649 3c95b2 37646->37649 37647 3c9618 37648 3c9611 FreeEnvironmentStringsW 37648->37647 37649->37647 37649->37648 37650 334624 37651 342670 37650->37651 37652 342682 37651->37652 37655 331cd0 37651->37655 37654 34267c 37655->37654 37656 342690 37655->37656 37657 3426f0 GetCurrentProcess FindWindowA 37656->37657 37658 342758 FindWindowW 37657->37658 37659 34276b GetCurrentProcessId 37657->37659 37658->37659 37661 342a28 37659->37661 37672 34279d 37659->37672 37660 3502f6 FindWindowA 37664 350319 7 API calls 37660->37664 37665 35030b FindWindowW GetCurrentProcessId 37660->37665 37661->37660 37667 342c41 17 API calls 37661->37667 37668 342a55 GetCurrentProcessId 37661->37668 37669 342e50 GetForegroundWindow 37661->37669 37710 342c0e SetConsoleTitleA 37661->37710 37662 3427d6 37663 342800 FindWindowA GetWindowDC GetForegroundWindow GetWindowDC 37662->37663 37676 342865 GetCurrentProcess GetForegroundWindow 37663->37676 37670 350379 GetCurrentProcess FindWindowW SetConsoleTitleA GetCurrentProcessId FindWindowA 37664->37670 37671 3503a8 GetForegroundWindow 37664->37671 37665->37664 37666 3427aa GetSystemInfo 37666->37672 37673 3507ca 37666->37673 37674 342d87 GetForegroundWindow 37667->37674 37675 342d77 GetWindowDC GetForegroundWindow GetWindowDC 37667->37675 37677 342a94 10 API calls 37668->37677 37678 342a61 GetForegroundWindow GetWindowDC GetForegroundWindow 37668->37678 37679 342e81 SetConsoleTitleA GetCurrentProcessId GetWindowDC GetForegroundWindow GetCurrentProcessId 37669->37679 37680 342e6e SetConsoleTitleA GetForegroundWindow GetCurrentProcessId 37669->37680 37670->37671 37681 3503d4 8 API calls 37671->37681 37682 3503bc GetCurrentProcessId GetCurrentProcess FindWindowW 37671->37682 37672->37660 37672->37662 37672->37666 37707 3427d1 KiUserExceptionDispatcher 37672->37707 37673->37654 37685 342dc4 FindWindowA 37674->37685 37686 342db3 SetConsoleTitleA GetCurrentProcessId 37674->37686 37675->37674 37687 342876 FindWindowW 37676->37687 37688 342889 GetCurrentProcess GetCurrentProcessId 37676->37688 37689 342b7e GetWindowDC GetCurrentProcessId GetForegroundWindow FindWindowW 37677->37689 37690 342b99 GetCurrentProcessId 37677->37690 37701 342a78 FindWindowA FindWindowW 37678->37701 37691 342edd GetWindowDC FindWindowA GetCurrentProcessId SetConsoleTitleA GetCurrentProcessId 37679->37691 37692 342edb GetForegroundWindow 37679->37692 37680->37679 37683 350480 GetCurrentProcessId GetForegroundWindow SetConsoleTitleA GetCurrentProcessId GetWindowDC 37681->37683 37684 35049e GetForegroundWindow FindWindowA 37681->37684 37682->37681 37683->37684 37695 3504e1 6 API calls 37684->37695 37696 3504cf GetCurrentProcess FindWindowW 37684->37696 37697 342df2 SetConsoleTitleA GetCurrentProcessId GetCurrentProcess 37685->37697 37698 342de8 GetCurrentProcess GetCurrentProcess 37685->37698 37686->37685 37687->37688 37699 3428c2 FindWindowA SetConsoleTitleA GetForegroundWindow GetWindowDC FindWindowA 37688->37699 37700 3428fa 37688->37700 37689->37690 37702 342bb0 FindWindowW GetCurrentProcess 37690->37702 37703 342bc2 FindWindowW 37690->37703 37693 342f84 FindWindowA 37691->37693 37694 342f4a 6 API calls 37691->37694 37692->37691 37704 342fc3 6 API calls 37693->37704 37705 342fbd GetCurrentProcessId 37693->37705 37694->37693 37695->37657 37708 350526 SetConsoleTitleA FindWindowW GetCurrentProcessId SetConsoleTitleA FindWindowW 37695->37708 37696->37695 37697->37661 37697->37667 37698->37697 37709 342900 SetConsoleTitleA FindWindowW GetWindowDC SetConsoleTitleA FindWindowW 37699->37709 37700->37709 37701->37677 37702->37703 37703->37661 37706 342be1 FindWindowA FindWindowW 37703->37706 37711 34304c GetWindowDC GetCurrentProcess GetForegroundWindow FindWindowA 37704->37711 37712 34302f SetConsoleTitleA FindWindowW GetCurrentProcessId 37704->37712 37705->37704 37706->37661 37707->37662 37713 350564 FindWindowA 37708->37713 37714 342956 GetCurrentProcessId 37709->37714 37715 34295c GetCurrentProcess SetConsoleTitleA FindWindowA 37709->37715 37710->37660 37716 34309f FindWindowA 37711->37716 37717 343088 FindWindowW SetConsoleTitleA 37711->37717 37712->37711 37718 350584 SetConsoleTitleA 37713->37718 37719 35058f GetForegroundWindow 37713->37719 37714->37715 37720 3429b4 9 API calls 37715->37720 37721 3429ab GetForegroundWindow SetConsoleTitleA 37715->37721 37716->37669 37722 3430d1 GetWindowDC 37716->37722 37717->37716 37718->37719 37723 3505dc 6 API calls 37719->37723 37724 3505a8 GetWindowDC FindWindowW SetConsoleTitleA GetCurrentProcessId FindWindowA 37719->37724 37720->37661 37720->37663 37721->37720 37722->37660 37725 350640 FindWindowW 37723->37725 37726 35063e GetForegroundWindow 37723->37726 37724->37723 37727 350682 FindWindowA 37725->37727 37728 350679 GetForegroundWindow GetWindowDC 37725->37728 37726->37725 37729 3506b5 GetCurrentProcessId 37727->37729 37730 3506bb 14 API calls 37727->37730 37728->37727 37729->37730 37730->37713 37731 350769 GetCurrentProcessId 37730->37731 37732 350772 SetConsoleTitleA GetForegroundWindow 37731->37732 37733 35077f GetCurrentProcess FindWindowA 37731->37733 37732->37733 37734 3507b6 37733->37734 37735 3507aa FindWindowW 37733->37735 37734->37656 37734->37673 37735->37734 37736 3bade6 37738 3bae22 37736->37738 37739 3badf4 37736->37739 37737 3bae0f RtlAllocateHeap 37737->37738 37737->37739 37739->37737 37739->37738

                                                                  Executed Functions

                                                                  Function 00331CD0 Relevance: 688.9, APIs: 222, Strings: 171, Instructions: 1112COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 331cd0-3426ca call 3354bb 4 3426d0-3426e9 0->4 5 3426f0-342756 GetCurrentProcess FindWindowA 4->5 6 342758-342764 FindWindowW 5->6 7 34276b-342797 GetCurrentProcessId 5->7 6->7 8 34279d 7->8 9 342a39-342a3d 7->9 12 3427d6-3427ff 8->12 13 34279f-3427a4 8->13 10 3502f6-350309 FindWindowA 9->10 11 342a43 9->11 18 350319-350377 SetConsoleTitleA GetCurrentProcess GetCurrentProcessId SetConsoleTitleA GetCurrentProcess GetWindowDC GetForegroundWindow 10->18 19 35030b-350317 FindWindowW GetCurrentProcessId 10->19 15 342e26-342e4f 11->15 16 342c1e-342c39 11->16 17 342a4a-342a4d 11->17 14 342800-342874 FindWindowA GetWindowDC GetForegroundWindow GetWindowDC GetCurrentProcess GetForegroundWindow 12->14 13->10 20 3427aa-3427ba GetSystemInfo 13->20 42 342876-342882 FindWindowW 14->42 43 342889-3428c0 GetCurrentProcess GetCurrentProcessId 14->43 23 342e50-342e6c GetForegroundWindow 15->23 21 342c41-342d75 FindWindowW GetCurrentProcess FindWindowW GetCurrentProcess FindWindowW SetConsoleTitleA FindWindowW GetCurrentProcess FindWindowW GetCurrentProcess FindWindowW GetCurrentProcess SetConsoleTitleA GetWindowDC * 2 GetCurrentProcess FindWindowW 16->21 22 342a55-342a5f GetCurrentProcessId 17->22 24 350379-3503a2 GetCurrentProcess FindWindowW SetConsoleTitleA GetCurrentProcessId FindWindowA 18->24 25 3503a8-3503ba GetForegroundWindow 18->25 19->18 26 3427c0-3427cc call 33236a call 3321f8 20->26 27 3507ca-3507d1 20->27 28 342d87-342db1 GetForegroundWindow 21->28 29 342d77-342d85 GetWindowDC GetForegroundWindow GetWindowDC 21->29 31 342a94-342b7c GetCurrentProcessId GetCurrentProcess FindWindowW SetConsoleTitleA GetCurrentProcess SetConsoleTitleA FindWindowW GetCurrentProcessId GetForegroundWindow FindWindowW 22->31 32 342a61-342a92 GetForegroundWindow GetWindowDC GetForegroundWindow FindWindowA FindWindowW 22->32 33 342e81-342ed9 SetConsoleTitleA GetCurrentProcessId GetWindowDC GetForegroundWindow GetCurrentProcessId 23->33 34 342e6e-342e7b SetConsoleTitleA GetForegroundWindow GetCurrentProcessId 23->34 24->25 36 3503d4-35047e SetConsoleTitleA GetWindowDC FindWindowA SetConsoleTitleA GetCurrentProcessId GetWindowDC FindWindowA FindWindowW 25->36 37 3503bc-3503d2 GetCurrentProcessId GetCurrentProcess FindWindowW 25->37 65 3427d1 KiUserExceptionDispatcher 26->65 40 342dc4-342de6 FindWindowA 28->40 41 342db3-342dbe SetConsoleTitleA GetCurrentProcessId 28->41 29->28 44 342b7e-342b97 GetWindowDC GetCurrentProcessId GetForegroundWindow FindWindowW 31->44 45 342b99-342bae GetCurrentProcessId 31->45 32->31 46 342edd-342f48 GetWindowDC FindWindowA GetCurrentProcessId SetConsoleTitleA GetCurrentProcessId 33->46 47 342edb GetForegroundWindow 33->47 34->33 38 350480-35049c GetCurrentProcessId GetForegroundWindow SetConsoleTitleA GetCurrentProcessId GetWindowDC 36->38 39 35049e-3504cd GetForegroundWindow FindWindowA 36->39 37->36 38->39 51 3504e1-350520 GetCurrentProcess GetCurrentProcessId GetWindowDC GetForegroundWindow FindWindowA GetCurrentProcessId 39->51 52 3504cf-3504df GetCurrentProcess FindWindowW 39->52 53 342df2-342e1b SetConsoleTitleA GetCurrentProcessId GetCurrentProcess 40->53 54 342de8-342df0 GetCurrentProcess * 2 40->54 41->40 42->43 55 3428c2-3428f8 FindWindowA SetConsoleTitleA GetForegroundWindow GetWindowDC FindWindowA 43->55 56 3428fa 43->56 44->45 58 342bb0-342bbc FindWindowW GetCurrentProcess 45->58 59 342bc2-342bdf FindWindowW 45->59 49 342f84-342fbb FindWindowA 46->49 50 342f4a-342f82 SetConsoleTitleA FindWindowA GetCurrentProcessId FindWindowA SetConsoleTitleA GetForegroundWindow 46->50 47->46 61 342fc3-34302d GetCurrentProcess FindWindowA GetWindowDC GetCurrentProcess GetWindowDC FindWindowA 49->61 62 342fbd GetCurrentProcessId 49->62 50->49 51->5 66 350526-35055c SetConsoleTitleA FindWindowW GetCurrentProcessId SetConsoleTitleA FindWindowW 51->66 52->51 53->21 67 342e21 53->67 54->53 68 342900-342954 SetConsoleTitleA FindWindowW GetWindowDC SetConsoleTitleA FindWindowW 55->68 56->68 58->59 63 342be1-342bfb FindWindowA FindWindowW 59->63 64 342bfd-342c08 59->64 70 34304c-343086 GetWindowDC GetCurrentProcess GetForegroundWindow FindWindowA 61->70 71 34302f-343046 SetConsoleTitleA FindWindowW GetCurrentProcessId 61->71 62->61 63->64 64->22 69 342c0e-342c19 SetConsoleTitleA 64->69 65->12 72 350564-350582 FindWindowA 66->72 67->10 73 342956 GetCurrentProcessId 68->73 74 34295c-3429a9 GetCurrentProcess SetConsoleTitleA FindWindowA 68->74 69->10 75 34309f-3430cb FindWindowA 70->75 76 343088-343099 FindWindowW SetConsoleTitleA 70->76 71->70 77 350584-350589 SetConsoleTitleA 72->77 78 35058f-3505a6 GetForegroundWindow 72->78 73->74 79 3429b4-342a22 GetCurrentProcess FindWindowW GetWindowDC FindWindowA GetForegroundWindow FindWindowW GetForegroundWindow GetCurrentProcess GetCurrentProcessId 74->79 80 3429ab-3429b2 GetForegroundWindow SetConsoleTitleA 74->80 75->23 81 3430d1-3430de GetWindowDC 75->81 76->75 77->78 82 3505dc-35063c SetConsoleTitleA FindWindowW GetWindowDC GetCurrentProcessId FindWindowA FindWindowW 78->82 83 3505a8-3505d6 GetWindowDC FindWindowW SetConsoleTitleA GetCurrentProcessId FindWindowA 78->83 79->14 84 342a28-342a34 79->84 80->79 81->10 85 350640-350677 FindWindowW 82->85 86 35063e GetForegroundWindow 82->86 83->82 84->10 88 350682-3506b3 FindWindowA 85->88 89 350679-350680 GetForegroundWindow GetWindowDC 85->89 86->85 90 3506b5 GetCurrentProcessId 88->90 91 3506bb-350763 SetConsoleTitleA FindWindowW SetConsoleTitleA GetWindowDC SetConsoleTitleA GetForegroundWindow GetWindowDC SetConsoleTitleA GetCurrentProcessId FindWindowA GetCurrentProcessId SetConsoleTitleA GetCurrentProcessId FindWindowA 88->91 89->88 90->91 91->72 92 350769-350770 GetCurrentProcessId 91->92 93 350772-35077d SetConsoleTitleA GetForegroundWindow 92->93 94 35077f-3507a8 GetCurrentProcess FindWindowA 92->94 93->94 95 3507b6-3507c4 94->95 96 3507aa-3507b4 FindWindowW 94->96 95->4 95->27 96->95
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342717
                                                                  • FindWindowA.USER32 ref: 0034274D
                                                                  • FindWindowW.USER32(xkfmryj,mdzzndn), ref: 00342762
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342787
                                                                  • GetSystemInfo.KERNELBASE(?), ref: 003427AF
                                                                  • FindWindowA.USER32 ref: 00342815
                                                                  • GetWindowDC.USER32(00005F22), ref: 00342828
                                                                  • GetForegroundWindow.USER32 ref: 0034282A
                                                                  • GetWindowDC.USER32(00002499), ref: 00342857
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342865
                                                                  • GetForegroundWindow.USER32 ref: 0034286F
                                                                  • FindWindowW.USER32(fyuqfkp,cmfuxst), ref: 00342880
                                                                  • GetCurrentProcess.KERNEL32 ref: 003428A5
                                                                  • GetCurrentProcessId.KERNEL32 ref: 003428B5
                                                                  • FindWindowA.USER32 ref: 003428CC
                                                                  • SetConsoleTitleA.KERNEL32(wrywyhb), ref: 003428DD
                                                                  • GetForegroundWindow.USER32 ref: 003428DF
                                                                  • GetWindowDC.USER32(00002A1B), ref: 003428E6
                                                                  • FindWindowA.USER32 ref: 003428F2
                                                                  • SetConsoleTitleA.KERNEL32(exkvizq), ref: 00342905
                                                                  • FindWindowW.USER32(ajxuqsr,eahuiqd), ref: 00342911
                                                                  • GetWindowDC.USER32(0000357F), ref: 00342918
                                                                  • SetConsoleTitleA.KERNEL32(ppjjkfb), ref: 0034291F
                                                                  • FindWindowW.USER32(yuzqjxb,uhdgyvg), ref: 0034294F
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342956
                                                                  • GetCurrentProcess.KERNEL32 ref: 0034296E
                                                                  • SetConsoleTitleA.KERNEL32(goxdbub), ref: 0034297F
                                                                  • FindWindowA.USER32 ref: 003429A0
                                                                  • GetForegroundWindow.USER32 ref: 003429AB
                                                                  • SetConsoleTitleA.KERNEL32(ezbqcop), ref: 003429B2
                                                                  • GetCurrentProcess.KERNEL32 ref: 003429C8
                                                                  • FindWindowW.USER32(pvcoblt,hjebsqf), ref: 003429D8
                                                                  • GetWindowDC.USER32(0000522A), ref: 003429DF
                                                                  • FindWindowA.USER32 ref: 003429EB
                                                                  • GetForegroundWindow.USER32 ref: 003429F1
                                                                  • FindWindowW.USER32(oslzhot,wmsngch), ref: 003429FD
                                                                  • GetForegroundWindow.USER32 ref: 003429FF
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342A0F
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342A1B
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342A58
                                                                  • GetForegroundWindow.USER32 ref: 00342A61
                                                                  • GetWindowDC.USER32(000057B9), ref: 00342A68
                                                                  • GetForegroundWindow.USER32 ref: 00342A6A
                                                                  • FindWindowA.USER32 ref: 00342A82
                                                                  • FindWindowW.USER32(puuaujq,mftrfxv), ref: 00342A92
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342AB7
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342AD3
                                                                  • FindWindowW.USER32(vuevryi,wwbfbuu), ref: 00342AE3
                                                                  • SetConsoleTitleA.KERNEL32(lvpfxtu), ref: 00342AFE
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342B04
                                                                  • SetConsoleTitleA.KERNEL32(ahzdqmi), ref: 00342B2E
                                                                  • FindWindowW.USER32(wbrssbw,zabqzsi), ref: 00342B3E
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342B40
                                                                  • GetForegroundWindow.USER32 ref: 00342B46
                                                                  • FindWindowW.USER32(ialyzyo,pwrjqbq), ref: 00342B77
                                                                  • GetWindowDC.USER32(00004183), ref: 00342B83
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342B85
                                                                  • GetForegroundWindow.USER32 ref: 00342B8B
                                                                  • FindWindowW.USER32(nshyoky,iipoidv), ref: 00342C4D
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342C6A
                                                                  • FindWindowW.USER32(qrnnvvf,avjvdua), ref: 00342C76
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342C78
                                                                  • FindWindowW.USER32(buczgeu,fnltnxy), ref: 00342C84
                                                                  • SetConsoleTitleA.KERNEL32(owpipkg), ref: 00342CB0
                                                                  • FindWindowW.USER32(vipcntb,uqwkhcz), ref: 00342CC0
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342CC2
                                                                  • FindWindowW.USER32(dpzrlrh,kprieog), ref: 00342CE4
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342D0B
                                                                  • FindWindowW.USER32(gtwrggo,lnkjcmt), ref: 00342D17
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342D19
                                                                  • SetConsoleTitleA.KERNEL32(lgfurfn), ref: 00342D20
                                                                  • GetWindowDC.USER32(000027E0), ref: 00342D4B
                                                                  • GetWindowDC.USER32(000003F6), ref: 00342D52
                                                                  • GetCurrentProcess.KERNEL32 ref: 00342D54
                                                                  • GetForegroundWindow.USER32 ref: 00342E67
                                                                  • SetConsoleTitleA.KERNEL32(wrxfwtl), ref: 00342E73
                                                                  • GetForegroundWindow.USER32 ref: 00342E79
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342E7B
                                                                  • SetConsoleTitleA.KERNEL32(ypbsctq), ref: 00342EA6
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342EAC
                                                                  • GetWindowDC.USER32(00007488), ref: 00342EB7
                                                                  • GetForegroundWindow.USER32 ref: 00342EB9
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342ECE
                                                                  • GetForegroundWindow.USER32 ref: 00342EDB
                                                                  • GetWindowDC.USER32(00006A82), ref: 00342EF9
                                                                  • FindWindowA.USER32 ref: 00342F05
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342F0B
                                                                  • SetConsoleTitleA.KERNEL32(chcjfqm), ref: 00342F16
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342F41
                                                                  • SetConsoleTitleA.KERNEL32(vggymlo), ref: 00342F4F
                                                                  • FindWindowA.USER32 ref: 00342F5F
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00342F65
                                                                  • FindWindowA.USER32 ref: 00342F71
                                                                  • SetConsoleTitleA.KERNEL32(qujfycv), ref: 00342F7C
                                                                  • FindWindowA.USER32 ref: 00350300
                                                                  • FindWindowW.USER32(cfpnaab,nxhluxd), ref: 00350315
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00350317
                                                                  • SetConsoleTitleA.KERNEL32(ixgfbpw), ref: 00350334
                                                                  • GetCurrentProcess.KERNEL32 ref: 00350336
                                                                  • GetCurrentProcessId.KERNEL32 ref: 0035033C
                                                                  • SetConsoleTitleA.KERNEL32(qxpdtax), ref: 00350347
                                                                  • GetCurrentProcess.KERNEL32 ref: 00350366
                                                                  • GetWindowDC.USER32(0000153E), ref: 0035036D
                                                                  • GetForegroundWindow.USER32 ref: 00350372
                                                                  • GetCurrentProcess.KERNEL32 ref: 00350379
                                                                  • FindWindowW.USER32(icsgtfn,qxknvmw), ref: 00350385
                                                                  • SetConsoleTitleA.KERNEL32(nizrxks), ref: 0035038C
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00350392
                                                                  • FindWindowA.USER32 ref: 003503A2
                                                                  • GetForegroundWindow.USER32 ref: 003503B5
                                                                  • GetCurrentProcessId.KERNEL32 ref: 003503BC
                                                                  • GetCurrentProcess.KERNEL32 ref: 003503C2
                                                                  • FindWindowW.USER32(cbowzfq,bkuhxwy), ref: 003503D2
                                                                  • SetConsoleTitleA.KERNEL32(jidcbye), ref: 003503EA
                                                                  • GetWindowDC.USER32(00003E8B), ref: 003503F5
                                                                  • FindWindowA.USER32 ref: 00350401
                                                                  • SetConsoleTitleA.KERNEL32(wacesxu), ref: 00350424
                                                                  • GetCurrentProcessId.KERNEL32 ref: 0035042A
                                                                  • GetWindowDC.USER32(000040F4), ref: 00350455
                                                                  • FindWindowA.USER32 ref: 00350461
                                                                  • FindWindowW.USER32(ahggkgl,xliobon), ref: 00350479
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00350486
                                                                  • GetForegroundWindow.USER32 ref: 00350488
                                                                  • SetConsoleTitleA.KERNEL32(jrqypgz), ref: 0035048F
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00350495
                                                                  • GetWindowDC.USER32(00000203), ref: 0035049C
                                                                  • GetForegroundWindow.USER32 ref: 003504A3
                                                                  • FindWindowA.USER32 ref: 003504C4
                                                                  • GetCurrentProcess.KERNEL32 ref: 003504CF
                                                                  • FindWindowW.USER32(bgsbpmt,xofetxj), ref: 003504DF
                                                                  • GetCurrentProcess.KERNEL32 ref: 003504E9
                                                                  • GetCurrentProcessId.KERNEL32 ref: 003504F5
                                                                  • GetWindowDC.USER32(00005C35), ref: 003504FC
                                                                  • GetForegroundWindow.USER32 ref: 003504FE
                                                                  • FindWindowA.USER32 ref: 0035050A
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00350510
                                                                  • SetConsoleTitleA.KERNEL32(cereesc), ref: 0035052B
                                                                  • FindWindowW.USER32(kbodotu,epoamyi), ref: 0035053B
                                                                  • GetCurrentProcessId.KERNEL32 ref: 0035053D
                                                                  • SetConsoleTitleA.KERNEL32(qdslgga), ref: 00350544
                                                                  • FindWindowW.USER32(yyiodav,hdwdruh), ref: 00350554
                                                                  • FindWindowA.USER32 ref: 00350579
                                                                  • SetConsoleTitleA.KERNEL32(vysgjtl), ref: 00350589
                                                                  • GetForegroundWindow.USER32 ref: 003505A1
                                                                  • GetWindowDC.USER32(0000117A), ref: 003505AD
                                                                  • FindWindowW.USER32(puvhgbo,jzkcwjj), ref: 003505B9
                                                                  • SetConsoleTitleA.KERNEL32(uraungw), ref: 003505C0
                                                                  • GetCurrentProcessId.KERNEL32 ref: 003505C6
                                                                  • FindWindowA.USER32 ref: 003505D6
                                                                  • SetConsoleTitleA.KERNEL32(jrgyqdd), ref: 003505E4
                                                                  • FindWindowW.USER32(cwwcsjm,dlyzvax), ref: 003505F4
                                                                  • GetWindowDC.USER32(000067D5), ref: 003505FB
                                                                  • GetCurrentProcessId.KERNEL32 ref: 003505FD
                                                                  • FindWindowA.USER32 ref: 0035060D
                                                                  • FindWindowW.USER32(cypjhvp,sakzcte), ref: 00350637
                                                                  • GetForegroundWindow.USER32 ref: 0035063E
                                                                  • FindWindowW.USER32(nphoixa,qrzzynq), ref: 00350672
                                                                  • GetForegroundWindow.USER32 ref: 00350679
                                                                  • GetWindowDC.USER32(00005386), ref: 00350680
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Window$CurrentFindProcess$ConsoleTitle$Foreground$InfoSystem
                                                                  • String ID: aeppxja$ahggkgl$ahzdqmi$aivhfyu$ajxuqsr$argxnnm$arrmccz$avjvdua$bbvmjew$belpbrl$bgsbpmt$bkuhxwy$buczgeu$cbowzfq$cereesc$cfpnaab$chcjfqm$cmfuxst$cmwaitx$cqejwxc$crpqvvb$cuuovwd$cwwcsjm$cypjhvp$czcvkcm$dlyzvax$dpzrlrh$eahuiqd$epoamyi$etwyybz$exkvizq$eysqsyt$ezbqcop$fcbgxaq$fdjwgla$feedlop$ffouyll$fhwqnuz$fnltnxy$focuxea$fszoqbu$fvfcjvn$fyuqfkp$fywlvnx$gdlmlgp$goxdbub$gsviijk$gtwrggo$hdwdruh$hhubnks$hjebsqf$hjeypac$hlyedkk$hvpdpyo$ialyzyo$icsgtfn$iegjpmp$iipoidv$ijkdyvv$ixgfbpw$jajtiuk$jbbgtac$jcmfpdv$jfdvtdb$jidcbye$jkxfmjj$jlqtamj$jnaumwg$jnnjqwd$jpwwqec$jrgyqdd$jrqypgz$jvzouyg$jzkcwjj$kakgdsj$kbodotu$kjkojhg$kprieog$kprvkry$kqfqizh$krljgil$kthdisi$ktuwrlw$laamwag$lgfurfn$lidhylg$ljpszak$lnkjcmt$lvpfxtu$mdzzndn$mftrfxv$mnbsxue$mokavih$nizrxks$nkbfsve$nphoixa$nshyoky$nxhluxd$ogpuwqo$ogsiroj$oslzhot$owovuvi$owpipkg$pajsxax$pcptrfh$pgjoazg$plrysws$ppjjkfb$puuaujq$puvhgbo$pvcoblt$pvkbwlo$pwrjqbq$qcdmtbo$qdslgga$qhbfioj$qjsagjk$qjvxxsw$qrnnvvf$qrzzynq$qujfycv$qxknvmw$qxpdtax$rlcvoml$sakzcte$shkwguu$sqbowrs$stkkrwx$tgztegk$udcouce$udltfjo$uhdgyvg$unrcubh$uobfein$uqwkhcz$uraungw$uworeep$vggymlo$vihpmro$vipcntb$vjenhpv$vuevryi$vysgjtl$wacesxu$wbrssbw$wllkkgr$wmsngch$wolopli$wrxfwtl$wrywyhb$wtpyffj$wwbfbuu$wzovumq$xdnyafd$xfswhpq$xkfmryj$xliobon$xmzdcdd$xofetxj$xxzwzmz$yhmhqxz$ypbsctq$ypshzqc$yqdbiuq$yuzqjxb$ywepmym$yyiodav$zabqzsi$zixpoov$zqltkyw$zxumdua
                                                                  • API String ID: 3176673176-1958851851
                                                                  • Opcode ID: 48673ae0b7fe70b50d6da6b3e5d6467e4351fcad93f018d1823a442df5acb1b2
                                                                  • Instruction ID: 7b77312dc2f11e0f6fb22b453d98a5379e7b16a7eabc8ad2be81c9f04b6201b9
                                                                  • Opcode Fuzzy Hash: 48673ae0b7fe70b50d6da6b3e5d6467e4351fcad93f018d1823a442df5acb1b2
                                                                  • Instruction Fuzzy Hash: 99725A35B80255AFE3223B72DC5EBDB3B91DB55B15F400220FB54472E1CE9B960B8E19
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003421E0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 118 3421e0-34226c call 334642 * 2 VirtualAlloc
                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(00000000,0000077E,00003000,00000040,00422C10,0000077E,00408000,0000000F,?,0001AC00,00408000,0000000F), ref: 00342232
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                  • API String ID: 4275171209-448403072
                                                                  • Opcode ID: ee34b1771661b00fb7a89a1522d5a2b9cbf4c53a480418c984010a1ee85b127a
                                                                  • Instruction ID: 4640223057dd465d55fadc8fc56601d9e9102df690d94e6d635bf5d0c5c83bce
                                                                  • Opcode Fuzzy Hash: ee34b1771661b00fb7a89a1522d5a2b9cbf4c53a480418c984010a1ee85b127a
                                                                  • Instruction Fuzzy Hash: AD016270F842147BE7109A559D17F6A7A69DB40B14F204076BA04BB2C0CAF82E408B98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003C959B Relevance: 3.1, APIs: 2, Instructions: 68COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 97 3c959b-3c95b0 GetEnvironmentStringsW 98 3c960b 97->98 99 3c95b2-3c95d3 call 3c954a call 335f24 97->99 100 3c960d-3c960f 98->100 99->98 107 3c95d5-3c95d6 call 333cb5 99->107 102 3c9618-3c961e 100->102 103 3c9611-3c9612 FreeEnvironmentStringsW 100->103 103->102 109 3c95db-3c95e0 107->109 110 3c9600 109->110 111 3c95e2-3c95f8 call 335f24 109->111 112 3c9602-3c9609 call 335d03 110->112 111->110 116 3c95fa-3c95fe 111->116 112->100 116->112
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,003B2770,?,?,003B2700,003B2FF8), ref: 003C95A4
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003C9612
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: EnvironmentStrings$Free
                                                                  • String ID:
                                                                  • API String ID: 3328510275-0
                                                                  • Opcode ID: a236c62f806f49fe3be097f550feb565ba805b86e5911775d66bdb0bb6105ab0
                                                                  • Instruction ID: 65323e3282c351d8ba53f3348ec02c7bf70f092ca12335656e353b9f39e54f1d
                                                                  • Opcode Fuzzy Hash: a236c62f806f49fe3be097f550feb565ba805b86e5911775d66bdb0bb6105ab0
                                                                  • Instruction Fuzzy Hash: BB01A7B2A016117B673316B61CCDF7F696DDDC2BA0717112EF900DB241EBA08D1182F4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003B94F8 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 200 3b94f8-3b9503 201 3b9511-3b9517 200->201 202 3b9505-3b950f 200->202 204 3b9519-3b951a 201->204 205 3b9530-3b9541 RtlAllocateHeap 201->205 202->201 203 3b9545-3b9550 call 3336d4 202->203 210 3b9552-3b9554 203->210 204->205 206 3b951c-3b9523 call 334444 205->206 207 3b9543 205->207 206->203 213 3b9525-3b952e call 333d87 206->213 207->210 213->203 213->205
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000008,?), ref: 003B9539
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: e6fffe914121ad80d36273f95c97e6e183950fad205ae80e0c98517ea872960c
                                                                  • Instruction ID: 4fbafe34df7c3d8e56c3f98284448a2dbd1699838cc7e5d60dd57f542c4be45f
                                                                  • Opcode Fuzzy Hash: e6fffe914121ad80d36273f95c97e6e183950fad205ae80e0c98517ea872960c
                                                                  • Instruction Fuzzy Hash: 8FF0BB31794125ABDF735B229C45B9A774C9B83764F158023AB059AA51DA20ED0186E0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003BADE6 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 342 3bade6-3badf2 343 3bae24-3bae2f call 3336d4 342->343 344 3badf4-3badf6 342->344 351 3bae31-3bae33 343->351 346 3badf8-3badf9 344->346 347 3bae0f-3bae20 RtlAllocateHeap 344->347 346->347 348 3badfb-3bae02 call 334444 347->348 349 3bae22 347->349 348->343 354 3bae04-3bae0d call 333d87 348->354 349->351 354->343 354->347
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 003BAE18
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 7f2d40b9bd16ad71947b6833f31eaa38b87a24fb2853b4e214a7ce2dd93647e9
                                                                  • Instruction ID: 5402784d47e60102172022dfb72fae846bb60ae30aff4ea81d2fe50cd16f1fb9
                                                                  • Opcode Fuzzy Hash: 7f2d40b9bd16ad71947b6833f31eaa38b87a24fb2853b4e214a7ce2dd93647e9
                                                                  • Instruction Fuzzy Hash: 54E0ED31A00E226BDA3326229C42BDB768CEB413A8F160120BE14AE991DB60DC0182E6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 003CD789 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserDefaultLCID.KERNEL32 ref: 003CD895
                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 003CD8DE
                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 003CD8ED
                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 003CD935
                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 003CD954
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Locale$InfoValid$CodeDefaultPageUser
                                                                  • String ID: h?
                                                                  • API String ID: 3475089800-4285749262
                                                                  • Opcode ID: 829ddf4c5197bfd606f4a72fd13d0c0b87e482fd185be621c99f3d73b2a04619
                                                                  • Instruction ID: 8f1d107ee89691d1263bf47202a920c0f04e687db5c992d5e5b2e13fc49df132
                                                                  • Opcode Fuzzy Hash: 829ddf4c5197bfd606f4a72fd13d0c0b87e482fd185be621c99f3d73b2a04619
                                                                  • Instruction Fuzzy Hash: AD515C71A00319AAEB22EFA5DC85FBA77B8AF58700F06443DF915EB150D7709D00CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CCBB1 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetACP.KERNEL32 ref: 003CCC72
                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 003CCC9D
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 003CCE7E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CodeInfoLocalePageValid
                                                                  • String ID: utf8$h?
                                                                  • API String ID: 790303815-1992367689
                                                                  • Opcode ID: 12893587e02f2d445db79b6b58816fc123c4deb9fe45d21776442027ad46ebc7
                                                                  • Instruction ID: 5569aa7108c1030c8815832117e47f3e7e4cd3a9101a9112aed4ecea02ac559f
                                                                  • Opcode Fuzzy Hash: 12893587e02f2d445db79b6b58816fc123c4deb9fe45d21776442027ad46ebc7
                                                                  • Instruction Fuzzy Hash: 5171F771A20202AADB27AB35CC86FBA77ACEF44700F15947DF50EDB181EA74ED818754
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CD540 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 003CD5D9
                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 003CD602
                                                                  • GetACP.KERNEL32 ref: 003CD617
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID: ACP$OCP
                                                                  • API String ID: 2299586839-711371036
                                                                  • Opcode ID: e442cd22df10424fcde9e94d6372502ca6925e5864950d8b68bbe065dcb4d899
                                                                  • Instruction ID: 457b1b8c9a32c9afca0ddd14dc2cb099c78bb423df718fe2a9df88104f1ae34d
                                                                  • Opcode Fuzzy Hash: e442cd22df10424fcde9e94d6372502ca6925e5864950d8b68bbe065dcb4d899
                                                                  • Instruction Fuzzy Hash: ED218E22B00104AADB379F15CD01FA777AAAB95B68F97843CF90ADB600E732DE41C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003D12DF Relevance: 7.4, Strings: 4, Instructions: 2428COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                  • API String ID: 0-2761157908
                                                                  • Opcode ID: 3711d29f7b50f746b15e536fbcd0dcf09141690adaaddae35dd4228a33f324d9
                                                                  • Instruction ID: 2d5e362aa90f6a4cd92cee771a3ab914f87dc636cab75f6b7fb7d952a95f4911
                                                                  • Opcode Fuzzy Hash: 3711d29f7b50f746b15e536fbcd0dcf09141690adaaddae35dd4228a33f324d9
                                                                  • Instruction Fuzzy Hash: E8D23C72E086289FDB66CE28ED407EAB7B9EB54305F1541EBD80DE7240D774AE818F41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0037912A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00379136
                                                                  • IsDebuggerPresent.KERNEL32 ref: 00379202
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00379222
                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0037922C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                  • String ID:
                                                                  • API String ID: 254469556-0
                                                                  • Opcode ID: 1e8782852be89eac240165d1cc636b856eff9bf1e56752e25a1960e8da0154da
                                                                  • Instruction ID: 11179a13f971f942b61a5c27316c4c38e4f4261b42774a89aa9e41e551f86b5c
                                                                  • Opcode Fuzzy Hash: 1e8782852be89eac240165d1cc636b856eff9bf1e56752e25a1960e8da0154da
                                                                  • Instruction Fuzzy Hash: 1C3129B5D0521CDBDB21DFA4D989BCDBBB8AF08304F5041EAE40DAB250EB759A85CF04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CD0EA Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003CD13E
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003CD188
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003CD24E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: c17d537cb98efa3e31c1a1bf1fd5d7956f0a3fa425c15d283c1d242eefb54531
                                                                  • Instruction ID: 7863e9438cbc9e0cba1b9a140319319cc250dedae503bc6616dc413a8c7ffd10
                                                                  • Opcode Fuzzy Hash: c17d537cb98efa3e31c1a1bf1fd5d7956f0a3fa425c15d283c1d242eefb54531
                                                                  • Instruction Fuzzy Hash: 48617C719002079FDB2A9F24CC82FBAB7A8EF05310F1184BAF905DA585EB35ED91CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0038A244 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsDebuggerPresent.KERNEL32 ref: 0038A33C
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0038A346
                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0038A353
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                  • String ID:
                                                                  • API String ID: 3906539128-0
                                                                  • Opcode ID: 44cb2b68ba12b172183577ac3dedc1737994dabd58347e403e092cb6964c5642
                                                                  • Instruction ID: 14869022bf68272c255bb4534bbe1b39e3c524cc646ae698f088cfa2789763df
                                                                  • Opcode Fuzzy Hash: 44cb2b68ba12b172183577ac3dedc1737994dabd58347e403e092cb6964c5642
                                                                  • Instruction Fuzzy Hash: 5631A574D017289BDB62DF64D989B8DBBB8BF08310F5041EAE41CAB260E7749F858F45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003B3422 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(?,?,003B3408,?,?,?,?), ref: 003B3444
                                                                  • TerminateProcess.KERNEL32(00000000,?,003B3408,?,?,?,?), ref: 003B344B
                                                                  • ExitProcess.KERNEL32 ref: 003B345D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Process$CurrentExitTerminate
                                                                  • String ID:
                                                                  • API String ID: 1703294689-0
                                                                  • Opcode ID: a59bb5efbe84476496df9235cc049f7f04f205dcbb3d9d2524a5518b29184fd1
                                                                  • Instruction ID: ed80657bf5c7ac44e9edf956410241d21ea4351a10d363d64d6711aeb5b1ebd3
                                                                  • Opcode Fuzzy Hash: a59bb5efbe84476496df9235cc049f7f04f205dcbb3d9d2524a5518b29184fd1
                                                                  • Instruction Fuzzy Hash: FCE04631900118AFCF236F15CC4AA883B28EF00749F418020FA09CA531CB35DE83CA54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00381EE0 Relevance: 2.4, Strings: 1, Instructions: 1103COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: /
                                                                  • API String ID: 0-2043925204
                                                                  • Opcode ID: d7316b6ab970c7d9b68ca38a2626e6c1fac271644adc25b34504e609de9418af
                                                                  • Instruction ID: ffd196e0b6d8434d3de5e77bf578426df6eb60331fcdcebc5aa7f91e0109d6bf
                                                                  • Opcode Fuzzy Hash: d7316b6ab970c7d9b68ca38a2626e6c1fac271644adc25b34504e609de9418af
                                                                  • Instruction Fuzzy Hash: DA825175D003199FDF1AEFA5C891AEFB7B8BF48300F15456AE811EB280EB749A45CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0038410E Relevance: 1.9, Strings: 1, Instructions: 660COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: &&
                                                                  • API String ID: 0-993083564
                                                                  • Opcode ID: 85207509ed04f7fa63b2e91370092c6db43fde5f5b2eb04f484edd12e97b01ff
                                                                  • Instruction ID: 2483884e9455ff8c0f91e6fe96f8df7b8e38e21b098906c5957fda214135e621
                                                                  • Opcode Fuzzy Hash: 85207509ed04f7fa63b2e91370092c6db43fde5f5b2eb04f484edd12e97b01ff
                                                                  • Instruction Fuzzy Hash: 5D428575D0030ADFDF16EFA4D491AEEBBF4EF19300F1480AAE512AB691DB749A44CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003C2408 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?), ref: 003C2635
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExceptionRaise
                                                                  • String ID:
                                                                  • API String ID: 3997070919-0
                                                                  • Opcode ID: 6ebb0f526366b15cd076a81fcbdcda1bdc4a02fe296f6875435596f9bbbc272d
                                                                  • Instruction ID: 1c339f9bdd4d29a814ac0fa011faf03c6ba415072ade075beab17d08bb897a53
                                                                  • Opcode Fuzzy Hash: 6ebb0f526366b15cd076a81fcbdcda1bdc4a02fe296f6875435596f9bbbc272d
                                                                  • Instruction Fuzzy Hash: 7AB12A316106098FD71ACF28C49AF667BA0FF45364F26865CE899CF2A1C735ED92CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003798BB Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 003798D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FeaturePresentProcessor
                                                                  • String ID:
                                                                  • API String ID: 2325560087-0
                                                                  • Opcode ID: 911850fc96431838a63a491ba8e391d984a40047351009167d31fc42d8e62fcc
                                                                  • Instruction ID: f9bb752cc698e2934f903da8bc770e2a690c1fc251d5ce53078151cb46166b80
                                                                  • Opcode Fuzzy Hash: 911850fc96431838a63a491ba8e391d984a40047351009167d31fc42d8e62fcc
                                                                  • Instruction Fuzzy Hash: E6519CB1A026058FEB26CF58D8817AEBBF0FB48304F15856ED509EB250D778A941CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CD3D1 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003CD425
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 6ea6593e370f377610e185f63b3fc09829b36f3314a8e38dee02d75ed7046365
                                                                  • Instruction ID: 52ea8a2822015642624db9716b4f63b1dff4a9dcd9ab69da0a16dbeff2abfa70
                                                                  • Opcode Fuzzy Hash: 6ea6593e370f377610e185f63b3fc09829b36f3314a8e38dee02d75ed7046365
                                                                  • Instruction Fuzzy Hash: FC217172605206AFDB2A9F26DC82FBA77A8EF45314F11407DFA05DA141EE34AD41C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CCF7C Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumSystemLocalesW.KERNEL32(003CD0EA,00000001), ref: 003CCFEE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2099609381-0
                                                                  • Opcode ID: b0762ca32d993b84ef93c90f7836aa2391f8e60057ed9edaec286f4681b6bef7
                                                                  • Instruction ID: 75f72fd0ec8d8bf99de2c090e8f7c2fef6c69a2d8bde9e11fcb402836b5953b1
                                                                  • Opcode Fuzzy Hash: b0762ca32d993b84ef93c90f7836aa2391f8e60057ed9edaec286f4681b6bef7
                                                                  • Instruction Fuzzy Hash: 3D11E9366047015FDB199F39C8A1ABAB792FF84358B15443DE98687A40D771AD43C740
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CD687 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,003CD306,00000000,00000000,?), ref: 003CD6B3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: fa1b4a885c955c1978fa57c77ac451a20eee7acecf873ba9c3d958b4ef624ff2
                                                                  • Instruction ID: f71dd1f5221ec8302d545f525f19087fe859f60cbf7316b99ea5ec3cc52b367b
                                                                  • Opcode Fuzzy Hash: fa1b4a885c955c1978fa57c77ac451a20eee7acecf873ba9c3d958b4ef624ff2
                                                                  • Instruction Fuzzy Hash: 29F0F932A00111BBDB255A24CC45FBA7768DB40358F55443DFC09E3540EA74FE11C790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CD03D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumSystemLocalesW.KERNEL32(003CD3D1,00000001), ref: 003CD087
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2099609381-0
                                                                  • Opcode ID: 7a6649acec09068b7943b5f0a43fd17e45c559d98f88ce6b57ac3cfea6484e83
                                                                  • Instruction ID: 2fd7d4ed5be8eae420143eaf53457c9a701677b9d03aa6578b45dddee0245275
                                                                  • Opcode Fuzzy Hash: 7a6649acec09068b7943b5f0a43fd17e45c559d98f88ce6b57ac3cfea6484e83
                                                                  • Instruction Fuzzy Hash: F7F0F6763003045FDB256F399881F7A7BA1EF80368F16443DF9458B690D6B19C02CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003B9582 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumSystemLocalesW.KERNEL32(Function_0008956C,00000001,004067A8,0000000C), ref: 003B95BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2099609381-0
                                                                  • Opcode ID: a1ba2701c45c25e86037fc944dcccda9d5a6c429b5910c1f3a5592123367af7a
                                                                  • Instruction ID: 74b7216d0101ad2f59488e69fa3326870369e1f908ff806624aa6f1f1346b2aa
                                                                  • Opcode Fuzzy Hash: a1ba2701c45c25e86037fc944dcccda9d5a6c429b5910c1f3a5592123367af7a
                                                                  • Instruction Fuzzy Hash: 5FF04972A40204DFDB11EF98E982B9D77F0FB49724F10406AF511DB2A1CB7999018F49
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CCEFA Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumSystemLocalesW.KERNEL32(003CCE2A,00000001), ref: 003CCF31
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2099609381-0
                                                                  • Opcode ID: a2dbb627810da5cb0202466637f08e3bad1fa5ebe0dbe2b6e79d028d62e45fc6
                                                                  • Instruction ID: 4d9a678861489f32440c8b7f3c828bd6b7c955b1b20aebcd514cf8b6b66a23f0
                                                                  • Opcode Fuzzy Hash: a2dbb627810da5cb0202466637f08e3bad1fa5ebe0dbe2b6e79d028d62e45fc6
                                                                  • Instruction Fuzzy Hash: 6FF0553670020457CB159F39D845BAA7F94EFC1750B07805CFE09CB251C2329C43C750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003BA2C7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?), ref: 003BA2FB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 23d97febaca1e1c91a037d430d5625604981b2cfe65d11055bcfe74fba414acf
                                                                  • Instruction ID: 0b66a489c7c6f93ae56bb9e22107f30f22aa603a6d4df0aa6862458016e480da
                                                                  • Opcode Fuzzy Hash: 23d97febaca1e1c91a037d430d5625604981b2cfe65d11055bcfe74fba414acf
                                                                  • Instruction Fuzzy Hash: 30E04F3550052CBBCF232F61DC45FEE7F5AEF44750F004425FE056A520CB728922AA95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003B9771 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumSystemLocalesW.KERNEL32(Function_0008956C,00000001), ref: 003B978B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2099609381-0
                                                                  • Opcode ID: 582158b6a5b7ada6f8425c66c1f254e7ba9ffb15e00e40f4ac6d10f6847a9788
                                                                  • Instruction ID: bab8f565ed01a4382fd5b9d61e4b58b66bd677a9cb806b640f8bb0cb7937d202
                                                                  • Opcode Fuzzy Hash: 582158b6a5b7ada6f8425c66c1f254e7ba9ffb15e00e40f4ac6d10f6847a9788
                                                                  • Instruction Fuzzy Hash: 38D0A771A40304AFCB21AF11EC879693F99E344710F80003AF50807261DE71A4028A0C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0039829A Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: ffd15198ebc37f987d11837efcc16063b7bda8398e8c5d73a8ce07afdc3ccfa9
                                                                  • Instruction ID: f43dc6b5a9368bbfcb739c1d41d71494af1d77d88c11275ab46400e567f4d351
                                                                  • Opcode Fuzzy Hash: ffd15198ebc37f987d11837efcc16063b7bda8398e8c5d73a8ce07afdc3ccfa9
                                                                  • Instruction Fuzzy Hash: B261453860074696DF3B9F6A88D17BFA398AFC3B00F55492EE882DB681DE61DD41C345
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003973B0 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: a1cb030a4d0b39c5b10a83292369fe06c34b4db32b1cb83549ee47d5e5ad0d9c
                                                                  • Instruction ID: c3e99c104da431fd9904ca5a0264755b507387b2a2550597ab08e0b55e2e9f80
                                                                  • Opcode Fuzzy Hash: a1cb030a4d0b39c5b10a83292369fe06c34b4db32b1cb83549ee47d5e5ad0d9c
                                                                  • Instruction Fuzzy Hash: E3618D3073830556DF3BAA2A8891BBF7799EF52700F56492DE582DF6C2E721DD428341
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003965D4 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: 7c3d1f37a5e7c0fcb5e18dc9f1885a20b04177411efaeaffc2e657eb226bfe06
                                                                  • Instruction ID: c08067d95cdec15c57c1d405992ccc761e00ae93f21985e77f3578678477a6ee
                                                                  • Opcode Fuzzy Hash: 7c3d1f37a5e7c0fcb5e18dc9f1885a20b04177411efaeaffc2e657eb226bfe06
                                                                  • Instruction Fuzzy Hash: 9D51D070607B445BDF3B4AAC89D77BEAB9E9F42308F16051DD883DB682DA25DD04C311
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00396E21 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: 68b5339f9327090f3eb22b6e8632362f1b0a3b6606c86e40ea4670d70c7b69b4
                                                                  • Instruction ID: 21b76dc47906c2e2be52634569322599e9ebe2d805da319d7f5aae8df8909db5
                                                                  • Opcode Fuzzy Hash: 68b5339f9327090f3eb22b6e8632362f1b0a3b6606c86e40ea4670d70c7b69b4
                                                                  • Instruction Fuzzy Hash: 4651AB74A0664896DF3B9A2CCBD77BE77AE9F02344F19041EE483DB6C2D611ED458312
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00396316 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: 319fcba0d2114b8fe843f5851eb1af5b39cd96b930a37ac3122c727c9a049669
                                                                  • Instruction ID: e5ec2652f0a95110f83e9b18bd688fdf2b562dc97db8e0f5d054d31fc6089812
                                                                  • Opcode Fuzzy Hash: 319fcba0d2114b8fe843f5851eb1af5b39cd96b930a37ac3122c727c9a049669
                                                                  • Instruction Fuzzy Hash: 6551CF74602B489BEF3B9A6D89D77BF679DAF02300F15011DE483DB6A2C611EE44C312
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003968A5 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: f850f763db88a3978971bedcbbc87bc33fc5c30354f0decbb39c1cef9565a5ca
                                                                  • Instruction ID: 5d2cac94aa4086830c7331756a0486d5b333b2b3b8a4b3139aea91d246c3facb
                                                                  • Opcode Fuzzy Hash: f850f763db88a3978971bedcbbc87bc33fc5c30354f0decbb39c1cef9565a5ca
                                                                  • Instruction Fuzzy Hash: 755180B06067499ADF3B8A6C88E77BE679D9B02304F15442ED883EF682C731DD44C355
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00396B63 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: 5a9f3bdd60656a5b43b1b9a13b5ce7d0a70d703a33f3704485b1f44bb8f554dc
                                                                  • Instruction ID: 12473a4f04285c77654307c91468fc8a4ecc4fe2359be6b6a2f081d2b2bfe304
                                                                  • Opcode Fuzzy Hash: 5a9f3bdd60656a5b43b1b9a13b5ce7d0a70d703a33f3704485b1f44bb8f554dc
                                                                  • Instruction Fuzzy Hash: 3C51A87120264956DF3B8A7D88E77BF679DDB01300F59045DF8C3DB682EA11EE488B52
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003970F2 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0
                                                                  • API String ID: 0-4108050209
                                                                  • Opcode ID: 2b409c900a18a9de9d15456e6f74e45453e8b7328e7f3958ed97fbbca03e31e1
                                                                  • Instruction ID: aada0f78ced8e708707ff1fb942a46f5f891c88271b3b4e86ff3872696b2828a
                                                                  • Opcode Fuzzy Hash: 2b409c900a18a9de9d15456e6f74e45453e8b7328e7f3958ed97fbbca03e31e1
                                                                  • Instruction Fuzzy Hash: 7751683023C64867DF3B9B6C88D67BE679E9F42300F15485EE8C2DB6C2D611DE498355
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003C3289 Relevance: .6, Instructions: 637COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dcafdecc11775efc7c64be83a2ef79bebaab3ae6c8d7f85a870e1932f3500ec7
                                                                  • Instruction ID: 97cebe7f38d4b56cd5af5b47fb8451a0cb0cb882778ee016ab5d4e67fc795991
                                                                  • Opcode Fuzzy Hash: dcafdecc11775efc7c64be83a2ef79bebaab3ae6c8d7f85a870e1932f3500ec7
                                                                  • Instruction Fuzzy Hash: B9320721E29F414DD7235635C822335A69CAFB73D4F15D73BF81AF59A5EB29C9838200
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CC4B9 Relevance: .6, Instructions: 558COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: af71656453e5d92044ee8b208ca227ecf2b053720aea5167d8ce396e2d387c07
                                                                  • Instruction ID: 3e50aeac6892e4a3597a1f71c21658a208cfc164fc30f080e95e3be82f348c68
                                                                  • Opcode Fuzzy Hash: af71656453e5d92044ee8b208ca227ecf2b053720aea5167d8ce396e2d387c07
                                                                  • Instruction Fuzzy Hash: DFB103755107058FDB3AAB25CC82FBBB3A8EF45308F14456DE94ACA580EB75BD81CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003AB460 Relevance: .4, Instructions: 450COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16579aa61cb10fc3c27e022f8a652102268232180f1c828c849cfba765051fd6
                                                                  • Instruction ID: 66f161610378df0dfb5e6616214688ff969d501fe9ddd00c9a2b00f0a8438a74
                                                                  • Opcode Fuzzy Hash: 16579aa61cb10fc3c27e022f8a652102268232180f1c828c849cfba765051fd6
                                                                  • Instruction Fuzzy Hash: 10F15D71E002199FDF15CFA9C8906AEFBB5FF89314F15826AD819AB341D735AD01CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003AC070 Relevance: .4, Instructions: 375COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d1270adc206bfd70443515c3e67172faf18d937a5d183d45e43b06f6979ec83a
                                                                  • Instruction ID: 7830e5a88fc65afa5bfa0b7ef387c0ffbbee5f75bcc1252c33d375f5e932b3c5
                                                                  • Opcode Fuzzy Hash: d1270adc206bfd70443515c3e67172faf18d937a5d183d45e43b06f6979ec83a
                                                                  • Instruction Fuzzy Hash: 4EE19375A102289FDF26DF58CC80BAAB7B8FF4A704F1550EAD949EB245D7309E418F81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003A8C33 Relevance: .2, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 99bd04f9591661de7a81c478ed620093f3ee54fcde035cc336f1ef217177c56e
                                                                  • Instruction ID: 85ce306e8b49557c9a1c239366b8e073e68ecb5fd3dd1db9a2596d46b23cb7dc
                                                                  • Opcode Fuzzy Hash: 99bd04f9591661de7a81c478ed620093f3ee54fcde035cc336f1ef217177c56e
                                                                  • Instruction Fuzzy Hash: A6516F71E01119EFDF05CFA9C981AAEBBB6EF89310F198069E415AB241C7349E51CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003D550A Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f128ff4269dfadb7cc4d87d1ecfd2267f046cb9c270fc666a58c80d78ba42615
                                                                  • Instruction ID: 5b1f59e5724e01611f4c016e494791185c214a92f1301e4b2079530bbdfcd2bd
                                                                  • Opcode Fuzzy Hash: f128ff4269dfadb7cc4d87d1ecfd2267f046cb9c270fc666a58c80d78ba42615
                                                                  • Instruction Fuzzy Hash: 9921B673F208394B770CC47E8C5227DB6E1C68C601745823AE8A6EA2C1D968D917E2E4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003D53A2 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f1ad6116df3795b0207df469b6db982f089760928125c56c4695c302cc486b5f
                                                                  • Instruction ID: 4c4edfef6b6bf98387fc8580032b9d74d7888aec4cdca685e286b67ea37000a6
                                                                  • Opcode Fuzzy Hash: f1ad6116df3795b0207df469b6db982f089760928125c56c4695c302cc486b5f
                                                                  • Instruction Fuzzy Hash: 0411CA23F30C255B675C816D8C1727A91D2EBD824031F433AD826EB3C4E994DE23D290
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CA42C Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9131f326d76208cdea46fb7cb7c84788ce256fb9a46935ae80f68796632de89b
                                                                  • Instruction ID: dc1d7a40c6490dbb5478308fe17562ee8448279368fa0f7fb1b5b6df2ae02c8a
                                                                  • Opcode Fuzzy Hash: 9131f326d76208cdea46fb7cb7c84788ce256fb9a46935ae80f68796632de89b
                                                                  • Instruction Fuzzy Hash: 20F0F032640A289BC72B8A5E950CF98B3ACEB05B19F12405AE540DB350C2E4DE00C7C1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CA1E1 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5441ac6d63db2c899eb1ad385eab20bc17b6600190e1fa229164da5be7ffe265
                                                                  • Instruction ID: d371dbd3c2e319244c59999d9efb90ac323debfeefd892c19c14e3145eed7f18
                                                                  • Opcode Fuzzy Hash: 5441ac6d63db2c899eb1ad385eab20bc17b6600190e1fa229164da5be7ffe265
                                                                  • Instruction Fuzzy Hash: BDF0F031240A1CEFC717CE6CCA48F18B3ECEB06308F204828E001DB640E232EE40D702
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CA345 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf2490ab2f86ed8ca977ea90d5f96376bc71eea711f6042dccb047165078da78
                                                                  • Instruction ID: c1be45b524a72135e964718d2a9df1583bdeebdefc4b540e4ba0af86011f5f64
                                                                  • Opcode Fuzzy Hash: cf2490ab2f86ed8ca977ea90d5f96376bc71eea711f6042dccb047165078da78
                                                                  • Instruction Fuzzy Hash: 77F0A932A10668EBCB27CB4CD845F88B3B8EB44B65F1240AAE401EB240C3B0DE00CBC0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CA39A Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2ad327db4e02e3bc5c225943af9baaa1800fe79e63c800fba525ac48ad1bb139
                                                                  • Instruction ID: 8f611ae2e6a2ecd77821e5a42f439f6c627cfa3f0d6f805fcf2ee093f6bf0a74
                                                                  • Opcode Fuzzy Hash: 2ad327db4e02e3bc5c225943af9baaa1800fe79e63c800fba525ac48ad1bb139
                                                                  • Instruction Fuzzy Hash: D8F01C32A10668EBCB269A8C9845B89B2A8EB49B54F11406BE501DB250C7B4DD00DB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CA13B Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 681da30b6b200145d8cdcfb230e428e1ec278b898844b336ac3c409732f3ec63
                                                                  • Instruction ID: 2cb3bec42d8842c49af708451b082096da71a256d397d58fe4e3744e2c8b54dd
                                                                  • Opcode Fuzzy Hash: 681da30b6b200145d8cdcfb230e428e1ec278b898844b336ac3c409732f3ec63
                                                                  • Instruction Fuzzy Hash: 13E06536600208EFCB06CF69C584F0AB3E8EB88388F6180A8E809CB250D734EE44CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CA18E Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 935975703f1737b0af33b7c3c1f84850620170980b31f98b0f0e59aaabc6635e
                                                                  • Instruction ID: 181ff034027c9d5d25e439c7cfbfaf53e8c7f7c07257cf9ccbc87362df20d416
                                                                  • Opcode Fuzzy Hash: 935975703f1737b0af33b7c3c1f84850620170980b31f98b0f0e59aaabc6635e
                                                                  • Instruction Fuzzy Hash: A1E06D31600308EFCB16CF98D584F49B7E8EB48348F104079E405C7250D734DE40CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00422D5C Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6d0bfc2ef7b64e396843138ab717a1f3c293dc8ee292486fa54476fd2f3b6864
                                                                  • Instruction ID: 182fafc174e280b52f7486522efa9ec694eda1a7820055a4762bbe198b243bf1
                                                                  • Opcode Fuzzy Hash: 6d0bfc2ef7b64e396843138ab717a1f3c293dc8ee292486fa54476fd2f3b6864
                                                                  • Instruction Fuzzy Hash: 46E04F32320564ABC771AE5AEA40C97F7E8EF94BB07854426E945D7611D274FC02C7D4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CA3EF Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6e72939573bfb918ed6f3ef60cce890612f5fdfbd6039e5627c71e57e46a0c92
                                                                  • Instruction ID: aac26ad7102d4ad1cc836fee9a65d3d063288f0c1d15d26391a10309e37c5484
                                                                  • Opcode Fuzzy Hash: 6e72939573bfb918ed6f3ef60cce890612f5fdfbd6039e5627c71e57e46a0c92
                                                                  • Instruction Fuzzy Hash: 8BE08632911128EBC715DBCAC948D89F3ECE744B14B11446AB501D7210C270DE01C7D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003CA252 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f587c72f0885292c98dbcacd3d7b04a879f0ca34ed6378aaa54ac3c9fc5b0af
                                                                  • Instruction ID: d09bad83c4ece3db7eee71613dc809630983e8662c718bd896298cbb0ce94bd5
                                                                  • Opcode Fuzzy Hash: 2f587c72f0885292c98dbcacd3d7b04a879f0ca34ed6378aaa54ac3c9fc5b0af
                                                                  • Instruction Fuzzy Hash: 17E0E235511248EFCB05DBA9C589F8AB7F9EB48759F2188A8E405DB251D234EF80DA40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003B9BEE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 0-537541572
                                                                  • Opcode ID: edf98363066f40845c5b85d207fc4c76277df175af5e7af1ca0e65cf91798e14
                                                                  • Instruction ID: 63d7a1e95c75d3fd060e5beb55998f1196f73841862c2ec209e0cdafef5475a6
                                                                  • Opcode Fuzzy Hash: edf98363066f40845c5b85d207fc4c76277df175af5e7af1ca0e65cf91798e14
                                                                  • Instruction Fuzzy Hash: 0821BB71B41220EBCB3357649C85BEA3F9C9F51768F260522EF16A7990D630DD0186E4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0035C6D7 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0035C720
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 0035C78B
                                                                  • LCMapStringEx.KERNEL32 ref: 0035C7A8
                                                                  • LCMapStringEx.KERNEL32 ref: 0035C7E7
                                                                  • LCMapStringEx.KERNEL32 ref: 0035C846
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0035C869
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringWide
                                                                  • String ID:
                                                                  • API String ID: 2829165498-0
                                                                  • Opcode ID: 76ff60cfb4552addea3a885ac84a23e3f6d912784ea557dc05dbb630cc78aa42
                                                                  • Instruction ID: 7b13609509c0df2149577a61a668684ffee65de8a4e57e537cab8ee20a22a325
                                                                  • Opcode Fuzzy Hash: 76ff60cfb4552addea3a885ac84a23e3f6d912784ea557dc05dbb630cc78aa42
                                                                  • Instruction Fuzzy Hash: 0851BF72A1031AAFEB224FA0CC85FAB7BB9EF44749F154429FD10AA160E734CC09CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003B1AFC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,0042B7CA,00000104), ref: 003B1B59
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileModuleName
                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                  • API String ID: 514040917-4022980321
                                                                  • Opcode ID: 39a570e554b398cf4ab36c3734f5d6a977cc1b499af0f72e972de36e307b6790
                                                                  • Instruction ID: 5e806b54778e9216b6a11e267391117a70dff903bdbc2e9ea78b741d2839c58a
                                                                  • Opcode Fuzzy Hash: 39a570e554b398cf4ab36c3734f5d6a977cc1b499af0f72e972de36e307b6790
                                                                  • Instruction Fuzzy Hash: 01213772F8021576D6336A256DAAEEB3B5CCFE1798F810036FE08D6541F755CA12C2D8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003B9E1C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,003B9DB8), ref: 003B9E2B
                                                                  • GetLastError.KERNEL32(?,003B9DB8), ref: 003B9E35
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 003B9E73
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad$ErrorLast
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3177248105-537541572
                                                                  • Opcode ID: ba413d1f7e811835003ce7559644fba1d4a59a548ae0f5e5de2faaccd0c8fbe6
                                                                  • Instruction ID: 7d5e37a934ace8acbb73e14f0622bfd198015763b2a661472f8b1e4dc1dd07d5
                                                                  • Opcode Fuzzy Hash: ba413d1f7e811835003ce7559644fba1d4a59a548ae0f5e5de2faaccd0c8fbe6
                                                                  • Instruction Fuzzy Hash: 0BF0A030B80205FBEB322B71DC46F9A3E559F00B58F180430FF0DA84E0EBA6DC528689
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003C1465 Relevance: 7.8, APIs: 5, Instructions: 301COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 601bb6f01d7fa7f80b385cdc871ffb98aec39f849e8ed1de75ecab6a9defc7ee
                                                                  • Instruction ID: 81f1c0445d57c1d9807bfe06fa66b7adb7c4a94524710298af1fd82cfac29419
                                                                  • Opcode Fuzzy Hash: 601bb6f01d7fa7f80b385cdc871ffb98aec39f849e8ed1de75ecab6a9defc7ee
                                                                  • Instruction Fuzzy Hash: E2C1B075A042499FDB16DFA8C891FBEBBB4AF4A310F14405DE905EB392CB309D42DB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0037F0A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _ValidateLocalCookies.LIBCMT ref: 0037F0D7
                                                                  • _ValidateLocalCookies.LIBCMT ref: 0037F168
                                                                  • _ValidateLocalCookies.LIBCMT ref: 0037F1E8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CookiesLocalValidate
                                                                  • String ID: csm
                                                                  • API String ID: 2268201637-1018135373
                                                                  • Opcode ID: 55c8903a2f1a3213005cb76c8b4b410b1a439244c30b8fd03ad441fb8917fedd
                                                                  • Instruction ID: 468af4578835ba10822d72a2223848544e317458355a459f3705dcd65fc2a99a
                                                                  • Opcode Fuzzy Hash: 55c8903a2f1a3213005cb76c8b4b410b1a439244c30b8fd03ad441fb8917fedd
                                                                  • Instruction Fuzzy Hash: C741B334A00218DFCF22DF68C881AAE7BB5BF45314F55C1A9EC186F396D739A905CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00389D6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00389B80), ref: 00389D7B
                                                                  • GetLastError.KERNEL32(?,00389B80), ref: 00389D85
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00389DAD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad$ErrorLast
                                                                  • String ID: api-ms-
                                                                  • API String ID: 3177248105-2084034818
                                                                  • Opcode ID: b6b3da366384fd433616d511877419e9e5b5b2d15d7850a1510309442eaa42cd
                                                                  • Instruction ID: e0953ac6e017a889ea999befbabbfa9ede57b8bde6a6b8915bcad1af6c6412a1
                                                                  • Opcode Fuzzy Hash: b6b3da366384fd433616d511877419e9e5b5b2d15d7850a1510309442eaa42cd
                                                                  • Instruction Fuzzy Hash: DFE04830740304BBDB212B61DC06FA83B559F00B55F540071FD0CA80F0E761D856964C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003BEC37 Relevance: 6.3, APIs: 4, Instructions: 317fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleOutputCP.KERNEL32 ref: 003BEC7F
                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 003BEEC9
                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 003BEF09
                                                                  • GetLastError.KERNEL32 ref: 003BEFB1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                  • String ID:
                                                                  • API String ID: 2718003287-0
                                                                  • Opcode ID: dc457cef260ba5ff44eae332d0c2a65558254a9c5fd49d6e5b686125e153f53d
                                                                  • Instruction ID: 7198e0eb5d7a157be14cfda8db067d6bb0591f7cd2e92542bffff37bef26a49d
                                                                  • Opcode Fuzzy Hash: dc457cef260ba5ff44eae332d0c2a65558254a9c5fd49d6e5b686125e153f53d
                                                                  • Instruction Fuzzy Hash: 8FC17B75D002599FCB16CFA8C8809EDFBB5EF08318F29816AE955FB742D6319D42CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003C1C85 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 003C1C9B
                                                                  • GetLastError.KERNEL32(?,?,?), ref: 003C1CA5
                                                                  • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 003C1CCA
                                                                  • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 003C1CF0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FilePointer$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 142388799-0
                                                                  • Opcode ID: 22f880021ec1ac8708aea4de71cb1714d3a6252b3bb9902d6f75a6fdea6b277f
                                                                  • Instruction ID: 69d3f831fcf4c3dac34e60a01ea9c32154463ab83c4c266cc6c6496656578521
                                                                  • Opcode Fuzzy Hash: 22f880021ec1ac8708aea4de71cb1714d3a6252b3bb9902d6f75a6fdea6b277f
                                                                  • Instruction Fuzzy Hash: 1E011771911118BBDF22AFA5CC48DEFBF79EF02761F108119F825961A1CB318A51EBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003D82A4 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 003D82BE
                                                                  • GetLastError.KERNEL32 ref: 003D82CA
                                                                  • ___initconout.LIBCMT ref: 003D82DA
                                                                    • Part of subcall function 003D8358: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,003D82DF), ref: 003D836B
                                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 003D82EE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CreateErrorFileLast___initconout
                                                                  • String ID:
                                                                  • API String ID: 3431868840-0
                                                                  • Opcode ID: 7e8e3df2f8f32c8bcf26719781c26cb18af92b714ed0bdda3b5f045eef6911d3
                                                                  • Instruction ID: 6f0b1b884b83b3e2fcd3bb3e13b80aa607cb4040bb9d974a4f7afbe83db4f7cc
                                                                  • Opcode Fuzzy Hash: 7e8e3df2f8f32c8bcf26719781c26cb18af92b714ed0bdda3b5f045eef6911d3
                                                                  • Instruction Fuzzy Hash: 2FF0FE3B200600BBCB332F96EC04D477BB6EF89761B650425F65992230DA31A852DB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003D83C0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 003D83D7
                                                                  • GetLastError.KERNEL32 ref: 003D83E3
                                                                  • ___initconout.LIBCMT ref: 003D83F3
                                                                    • Part of subcall function 003D8358: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,003D82DF), ref: 003D836B
                                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 003D8408
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CreateErrorFileLast___initconout
                                                                  • String ID:
                                                                  • API String ID: 3431868840-0
                                                                  • Opcode ID: e99097ff8dfe90d75e625ea24efdb75f3403f54195dfe641483c8770003935be
                                                                  • Instruction ID: 30908e64efafd89652c62b2425029039faf1d176b09b723dd6d879cdae855688
                                                                  • Opcode Fuzzy Hash: e99097ff8dfe90d75e625ea24efdb75f3403f54195dfe641483c8770003935be
                                                                  • Instruction Fuzzy Hash: 4BF0AC37601115BBCF232F96EC08A9A3F66FF097A5F554431FA1896230DA329821DB94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003BA404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • GetXStateFeaturesMask, xrefs: 003BA414
                                                                  • InitializeCriticalSectionEx, xrefs: 003BA464
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.277882944.0000000000354000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                  • Associated: 00000000.00000002.277779104.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277795201.0000000000331000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277847196.000000000033B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.277857546.000000000033F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278412058.00000000003DB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278427657.00000000003E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278517326.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278640425.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278656694.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.278664998.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_330000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
                                                                  • API String ID: 0-4196971266
                                                                  • Opcode ID: e0bfcb9c0f6495145b861f69cd1c6d09bd514f5668ee631893c35fcfcc590015
                                                                  • Instruction ID: 09c712baa7f021cf1d0143a90de69929091d0d0e88e5f4cb6e15698b3b9b664e
                                                                  • Opcode Fuzzy Hash: e0bfcb9c0f6495145b861f69cd1c6d09bd514f5668ee631893c35fcfcc590015
                                                                  • Instruction Fuzzy Hash: A0012B3178062C77CB233B42CC0AEEE7F45EB40B60F008032FF0919661CAB24921D6D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Executed Functions

                                                                  Function 065F87A8 Relevance: 2.0, Instructions: 1978COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9815029e7ea2b61a7727f331a8bf0f5f6445c3f5d58965426e66ed49a5a55918
                                                                  • Instruction ID: 7340292a1a2b609686d189af75ee7cb1e53ee99ab4596ce66760b7602cec7b7e
                                                                  • Opcode Fuzzy Hash: 9815029e7ea2b61a7727f331a8bf0f5f6445c3f5d58965426e66ed49a5a55918
                                                                  • Instruction Fuzzy Hash: E613EE38D01218EFCB169B70D55A999B733FF9930BB10946ADC1226B66CB3F8952DF01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F87B8 Relevance: 2.0, Instructions: 1973COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dfd4ad1eef11eb4cb1d2553d66e4752f9bf5f58b5a64d198ff39b9c68fc23e25
                                                                  • Instruction ID: 109f52f18b6a535ecdd2303c2e73b820198899ae955746ac6b8c9feeac88f975
                                                                  • Opcode Fuzzy Hash: dfd4ad1eef11eb4cb1d2553d66e4752f9bf5f58b5a64d198ff39b9c68fc23e25
                                                                  • Instruction Fuzzy Hash: B613FE38D01218EFCB169B70D55A999B733FF9930BB10946ADC1226B66CB3F8952DF01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FE678 Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: l
                                                                  • API String ID: 0-2262094252
                                                                  • Opcode ID: d55f525e18e5492cf6504f6beb2a117104e2b991572e14ff3e002abd9f59565c
                                                                  • Instruction ID: f9220a1f1cab62dd4223f3df5ed15ab99a9e7c2990ed3a36bc833c2d2d02cf1b
                                                                  • Opcode Fuzzy Hash: d55f525e18e5492cf6504f6beb2a117104e2b991572e14ff3e002abd9f59565c
                                                                  • Instruction Fuzzy Hash: E8E17E34A10205DFDB54DF64D899A9DBBB2FF88314F058928E616AB7A1DB30EC45CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FE640 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: l
                                                                  • API String ID: 0-2262094252
                                                                  • Opcode ID: a8b45c73d9c67af43a0c9a457fb292f7b8d46cc309cd594091bdee2c9d41c17e
                                                                  • Instruction ID: ced170364b1cc625fe6b87688375ed828de4ec18bf8130f58604fcbcd619301f
                                                                  • Opcode Fuzzy Hash: a8b45c73d9c67af43a0c9a457fb292f7b8d46cc309cd594091bdee2c9d41c17e
                                                                  • Instruction Fuzzy Hash: A2918A34A14205DFDB54DF64D898A9DBBB2FF88310F058969E906AB761DB30EC46CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FD720 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: l
                                                                  • API String ID: 0-2262094252
                                                                  • Opcode ID: 61daf72619c3044bb134ebc9418081148dfccb196e805da7647737e0ba23c543
                                                                  • Instruction ID: 330fbfb8360bd4868a206eadf8cd17a963332e20ac65f768ed665772a54b2d1e
                                                                  • Opcode Fuzzy Hash: 61daf72619c3044bb134ebc9418081148dfccb196e805da7647737e0ba23c543
                                                                  • Instruction Fuzzy Hash: 83719C75E102098FDB54DFA4C854AAEBBF2BFC9304F20852AE505EB391DB709D46CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FF368 Relevance: .4, Instructions: 410COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d22e280a2db9eaf2050bf3eb75c30ee1952b80a6f9ee8a349a37b79bbf73898
                                                                  • Instruction ID: d05e16910661b3831034489a92b9c71f8f897e4ede4a348a8ef9d3e2b002588b
                                                                  • Opcode Fuzzy Hash: 8d22e280a2db9eaf2050bf3eb75c30ee1952b80a6f9ee8a349a37b79bbf73898
                                                                  • Instruction Fuzzy Hash: 0FE18B347042008FD754DF78C899A6A7BF6EF89304F1584A9EA06CB7A2DB34DD46CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F08D0 Relevance: .4, Instructions: 377COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 44fed8947adc2a2ed2b48b29f65bec059f84b3ce36020ee790ecdf1b57588831
                                                                  • Instruction ID: 49193025b5f69130936fbe0c4fa7f5b667c9abae86cfb4c11c97af032a16f423
                                                                  • Opcode Fuzzy Hash: 44fed8947adc2a2ed2b48b29f65bec059f84b3ce36020ee790ecdf1b57588831
                                                                  • Instruction Fuzzy Hash: 33E18131710214DFCF569FA0C914EA97BB2FF88300F0681A8E6099B6B2DB31D955DF81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F08C1 Relevance: .4, Instructions: 354COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8a707dfc8d6c3531c216d28cd768953dadaf4d3f01b20725b14920ae1f0c8e24
                                                                  • Instruction ID: d0a57ee097ef826d3a5c6c0d0d255e2b974ddafd4a15d5718329c4d5168862c6
                                                                  • Opcode Fuzzy Hash: 8a707dfc8d6c3531c216d28cd768953dadaf4d3f01b20725b14920ae1f0c8e24
                                                                  • Instruction Fuzzy Hash: 8BD18131A10215DFCF569FA1CD14E997BB2FF88300F4681A8E6099B6B2DB31D955DF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FB4E8 Relevance: .2, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ceef7c8ca552120e1fc7159e2afc296a0faeed883e060e41a982b7c68b69141a
                                                                  • Instruction ID: e08a983eca7e75dc28cd0806a18465743f311378c8e55ca4729ca512e545b02b
                                                                  • Opcode Fuzzy Hash: ceef7c8ca552120e1fc7159e2afc296a0faeed883e060e41a982b7c68b69141a
                                                                  • Instruction Fuzzy Hash: CC91E374B01200DFDB54AFB4D4186BE7BF2AF89310B14C86AE64AD7782DB39C905CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FD508 Relevance: .2, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 23af991cdc6dea39fd59a43f9fed97f8dc2e9606a4951377c76db92ec4c6833d
                                                                  • Instruction ID: 6effb67f00aa5dcba4fe4d84658cc7330e8935aa9fdba966b9f43c085494cef3
                                                                  • Opcode Fuzzy Hash: 23af991cdc6dea39fd59a43f9fed97f8dc2e9606a4951377c76db92ec4c6833d
                                                                  • Instruction Fuzzy Hash: 7E510A34A10219EFDB55DFA4E894AADBBB2FF88304F108519EA06A73A0DB319945CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F2D51 Relevance: .1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c1544fef0cc0091e0e32825dd5448a224d2d5131bdb8d48c61c3f4a6435e413
                                                                  • Instruction ID: 7a6a7c13e044e8d5a5d0f388684b4601a512b070026b2f0b25b0a6607c72330d
                                                                  • Opcode Fuzzy Hash: 8c1544fef0cc0091e0e32825dd5448a224d2d5131bdb8d48c61c3f4a6435e413
                                                                  • Instruction Fuzzy Hash: 6051CE31B205088FC744BBB8E45456DBBB7FFC9310B548A29E153AB3D4DF3099498B92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FEA39 Relevance: .1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c28f4336ffcdbb9b051fe7eb43a260090f8e3838be9ee2a8352f17259e4c0b2
                                                                  • Instruction ID: fa912591cd1557dcdd1eee7184b62e6b72a37bdeb15bb280652f9bd6a399b83a
                                                                  • Opcode Fuzzy Hash: 0c28f4336ffcdbb9b051fe7eb43a260090f8e3838be9ee2a8352f17259e4c0b2
                                                                  • Instruction Fuzzy Hash: CA51D534A10209EFDB54DFA4E999AADBBB2FF88310F158454E915AB361DB30EC42DF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F4338 Relevance: .1, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93cc4803ecabaeb3900d649c6d64161bb42f15e0f744996292a4386e971c01be
                                                                  • Instruction ID: ccc4d52cb4a421e2ae3266956b01307fc95ad96fd6ea25c50a44d23fd6f0f4fe
                                                                  • Opcode Fuzzy Hash: 93cc4803ecabaeb3900d649c6d64161bb42f15e0f744996292a4386e971c01be
                                                                  • Instruction Fuzzy Hash: 4C41C3B09063849FDB269F70C4086AA7FF1FF46318F1588AED1868B653D739854ACF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F7FA0 Relevance: .1, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: abaaa346318aa6f94e89fe64082ef08a7328b9fe6e1ef901ff011fc816ad7c71
                                                                  • Instruction ID: d561a8badf19404a8fa5e930c4422b1ef93963ad55572446aecff7405c0b93fa
                                                                  • Opcode Fuzzy Hash: abaaa346318aa6f94e89fe64082ef08a7328b9fe6e1ef901ff011fc816ad7c71
                                                                  • Instruction Fuzzy Hash: 6D412334B152048FD794DF24E896AAA7BB6FF89300F1144ACE316DB365CB399D01CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F2D60 Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92e0ec165724fb8b939a808735b5b6af64ab5a7cb32ff8f5f46c38154c3ccbe3
                                                                  • Instruction ID: da6258490323f961283d87728d970b819440445ac82de5627ce31945a0b21771
                                                                  • Opcode Fuzzy Hash: 92e0ec165724fb8b939a808735b5b6af64ab5a7cb32ff8f5f46c38154c3ccbe3
                                                                  • Instruction Fuzzy Hash: A241EF317205088FC704BBB8E45456DB7B7FFC9310B548A28E163A73D8DF30A9498792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F53DF Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9f94fe83c4d49c0432d3f9573070a660acabf232aafc8dd998e9beb6379acce7
                                                                  • Instruction ID: e9ff64f6ef9d9bd5b993dcaeb15a2a0454845d4597cf8e794fe59c403fd4acd3
                                                                  • Opcode Fuzzy Hash: 9f94fe83c4d49c0432d3f9573070a660acabf232aafc8dd998e9beb6379acce7
                                                                  • Instruction Fuzzy Hash: 81516775901209EFCF05EFA4E8499ADBFB6FF88300F048955E611E7260DB395A15CF11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FA828 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 91ab66c5ae31deb77517c36fd2da6e9b707e7833cce50ffac77984c338e92202
                                                                  • Instruction ID: e2455bf45d03ec2476c29567a7c06e17808f4f4f016e408e2465cce05877e276
                                                                  • Opcode Fuzzy Hash: 91ab66c5ae31deb77517c36fd2da6e9b707e7833cce50ffac77984c338e92202
                                                                  • Instruction Fuzzy Hash: 7341D330B142449FEB54EB74D8157AE7BB6AFC5300F018865D645EB391DF788E06CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FDA00 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 32aaded8d51aea09e178b730f516628e6679b58de048734c076f48cabd432385
                                                                  • Instruction ID: f6a3882cafbcf6ee0a6a6ff8c4eeca465b9df5d14106491b09d604f3d9578b88
                                                                  • Opcode Fuzzy Hash: 32aaded8d51aea09e178b730f516628e6679b58de048734c076f48cabd432385
                                                                  • Instruction Fuzzy Hash: 83312230B092008FD758DB28C82476EB7F6EFC6314F14866AD64ACB391DB358C46CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F26B1 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e25bc232e6427825337030a1980a70a9236ce74edf7b72853b90be5ecc798a8e
                                                                  • Instruction ID: 56f498cc0c46a281cd4bf8b285c1e2d755a678d7c4b999377e17e61af516b3a6
                                                                  • Opcode Fuzzy Hash: e25bc232e6427825337030a1980a70a9236ce74edf7b72853b90be5ecc798a8e
                                                                  • Instruction Fuzzy Hash: 9541A374B022109FC748AB7894145AE7BF7FBC9211714C96DE90AD7350DF399D028B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F75C0 Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a523a5c25baeede8c4a4bcac12918a63d11de58409dbf52a72b22eb6c4bfe696
                                                                  • Instruction ID: d2633e5e450e6a203f0e9d08480216342a0ecf8f4673e2b9c18f69567eb7012e
                                                                  • Opcode Fuzzy Hash: a523a5c25baeede8c4a4bcac12918a63d11de58409dbf52a72b22eb6c4bfe696
                                                                  • Instruction Fuzzy Hash: 20314B3470A3505FC7559778F8188AA3BB6EBCA2547158C6AF759C7781DF348C0287A2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F8151 Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: abe691193fa248412cf6a827f501cd4922834bd296c05c59477cbc92fd3cd32d
                                                                  • Instruction ID: c1b7f4a2e47e5b9b47eef20bdafe4c790d999401870576cf6ebf13900cff501a
                                                                  • Opcode Fuzzy Hash: abe691193fa248412cf6a827f501cd4922834bd296c05c59477cbc92fd3cd32d
                                                                  • Instruction Fuzzy Hash: BF31F63470A3405FC719AB74981456E7BF79FCA2047098DBAD74AC7B92DF349C0687A2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F8008 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 477c6bc75548624bf63969df1b616e6aed0d48af9dc10ad1a2bb3fdad25b0704
                                                                  • Instruction ID: d7310aaa8978d4cb2bc6ba5b34a10520fbcfe4d59b072770ff06c17a49f0baf8
                                                                  • Opcode Fuzzy Hash: 477c6bc75548624bf63969df1b616e6aed0d48af9dc10ad1a2bb3fdad25b0704
                                                                  • Instruction Fuzzy Hash: 0F315B34B112088FD758EF64C4A8AAE7BF6BF89300F144568E606DB3A1CF759D41CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F7FF8 Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6cd533add025b458a67651233dd6df8bc01470d3014ce358dcbf3bb5e3c09933
                                                                  • Instruction ID: ffbf18fd052d0b351e339390a7282091996ac42aa902ca15924e92c46968d386
                                                                  • Opcode Fuzzy Hash: 6cd533add025b458a67651233dd6df8bc01470d3014ce358dcbf3bb5e3c09933
                                                                  • Instruction Fuzzy Hash: 69314D34B112088FD758DF68C999AAA7BFABF89700F144568E606EB3A0CB719D41CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FB390 Relevance: .1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dde4ae3287121e2b7507843c37ffa0c574c6d6823eb92584e148e228f5301498
                                                                  • Instruction ID: 67283dcb05c45927c316c7e61704e0b84e72b838b215dd596cbe1ae9bdcd0449
                                                                  • Opcode Fuzzy Hash: dde4ae3287121e2b7507843c37ffa0c574c6d6823eb92584e148e228f5301498
                                                                  • Instruction Fuzzy Hash: 8231AA32E107469BDB10AF78C800AD8B771FF99320F259B1AE58977641EB70B5D4CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F8678 Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 027b399f6ea092f8858a6d38ee693c7d66ebbd29b3a9b6781b103acced6e9282
                                                                  • Instruction ID: 84bed3e37202802e5a481296b8c3c8e765b5103a16fc200dc6f1be03f9037dd9
                                                                  • Opcode Fuzzy Hash: 027b399f6ea092f8858a6d38ee693c7d66ebbd29b3a9b6781b103acced6e9282
                                                                  • Instruction Fuzzy Hash: 5D31B931E107068FCB519F78D4142AAB7B5FF95300B10CA2AD655E7341EF35A945CBD1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FB3A0 Relevance: .1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 96fba5c949758d51076fa9ff6bdb80b9f3e5ada8ee36d003a1cbf5c3f02d66e6
                                                                  • Instruction ID: 1bcc557ea744a629d5e670d403ddd3cc617c27dc276faef74f77865adcffde1c
                                                                  • Opcode Fuzzy Hash: 96fba5c949758d51076fa9ff6bdb80b9f3e5ada8ee36d003a1cbf5c3f02d66e6
                                                                  • Instruction Fuzzy Hash: 97318931E1070A9ADB10EF78C801AD9B771EF99320F259719E65977641EB70B5D4CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F53A0 Relevance: .1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 251bf56cf7e5e45b8460b3fac045c3008cff814ddfbc268dff243456447950f8
                                                                  • Instruction ID: f0e12e8fc11d1afbebc50c7d096755825877f5ddfd1ba2bd16379171895a1247
                                                                  • Opcode Fuzzy Hash: 251bf56cf7e5e45b8460b3fac045c3008cff814ddfbc268dff243456447950f8
                                                                  • Instruction Fuzzy Hash: 08314BB9901205EFCF019FA0ED469ADBF72FB88300F058955F611A7220DB395A15DF61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F53F0 Relevance: .1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6fa3d91bbcc752e6fdef0e31d5be7fdd2572cfbd3656884485a9c7773bbce666
                                                                  • Instruction ID: 19342f9adeaeb87381c23a948b39b30d82077cf37fa811cc0374bccbcf094f59
                                                                  • Opcode Fuzzy Hash: 6fa3d91bbcc752e6fdef0e31d5be7fdd2572cfbd3656884485a9c7773bbce666
                                                                  • Instruction Fuzzy Hash: E13138B9901209EFCF019FE0E8499ACBFB6FB8C300F058858E611B7260DB3A5955DF11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F8688 Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ca912a59f64144d91672f2f0cbe14f20d087f8054ef79e7b926e6395f7ba9c93
                                                                  • Instruction ID: 9c706425a1b655943cbcc95de19b57a11082a44715fab9fd05822f8d8d8f3007
                                                                  • Opcode Fuzzy Hash: ca912a59f64144d91672f2f0cbe14f20d087f8054ef79e7b926e6395f7ba9c93
                                                                  • Instruction Fuzzy Hash: 8531B631E1060A8FCB51AF78D4142AEB7B5FF85300B10C929D65AA7781EF34AA45CBD1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FF3F1 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 76d83a6801e6c3745619e6d2d713864aa688dfb1740a6f4a002fdb72d8f1aeb1
                                                                  • Instruction ID: 1a4b3095a6929999c73b74e9c0feed5cbd736d2be627bb2ae81bf47d2282b92e
                                                                  • Opcode Fuzzy Hash: 76d83a6801e6c3745619e6d2d713864aa688dfb1740a6f4a002fdb72d8f1aeb1
                                                                  • Instruction Fuzzy Hash: C3218135A00205DFEB51DF64D948AAE7BB2FF88310F148469EA518B7A1DB31DD41CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0090D4D8 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526095047.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_90d000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ea44158ebabc528e8273e16fbd1aa2f1f87b69936f6f801c04262a38a7b8bda
                                                                  • Instruction ID: 958ffcea070874029b26c1bd51cd833c5bddfacaced302acb905ae89668d98cf
                                                                  • Opcode Fuzzy Hash: 3ea44158ebabc528e8273e16fbd1aa2f1f87b69936f6f801c04262a38a7b8bda
                                                                  • Instruction Fuzzy Hash: 7A213A71504244DFDB04CF54DDC0B26BFA9FB88328F248569FD054B28AC33AD856C7A2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F5587 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b3559c3d6da7e5529f13f876b7b5796a7cf08acc02fa2e8cd341b5f2556ff40
                                                                  • Instruction ID: b7a790e4507b0ef9ef0088fc3a15707dec423058215973ea767db3e71b32a9be
                                                                  • Opcode Fuzzy Hash: 9b3559c3d6da7e5529f13f876b7b5796a7cf08acc02fa2e8cd341b5f2556ff40
                                                                  • Instruction Fuzzy Hash: 6621C53121C3454FE724EF34EC808DE73B6AFC5348B818E29E1559BA65DB70AD0A8791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FB737 Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d70b6919f8512664a0a437b89709f46996f7a4e759e8525ef342ce51c811f7cb
                                                                  • Instruction ID: 5b8a4b74cd7a3030df8f09c522c7b805eb7ce9f96b2089330b46416c45ed56b3
                                                                  • Opcode Fuzzy Hash: d70b6919f8512664a0a437b89709f46996f7a4e759e8525ef342ce51c811f7cb
                                                                  • Instruction Fuzzy Hash: 9521F830B2B290CFD79A5B70E41D2393FBA7B46645704CC6DE787C7A82DB288505CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F55CF Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed8a1621cf6b27202deb0c4a0d7daebdfe3f194cd61174ee20a4b6b88a6e51ad
                                                                  • Instruction ID: 097fb39ced1d11d9b754463e8fd5236065e4293311163a2fb3a767ea612c3fcd
                                                                  • Opcode Fuzzy Hash: ed8a1621cf6b27202deb0c4a0d7daebdfe3f194cd61174ee20a4b6b88a6e51ad
                                                                  • Instruction Fuzzy Hash: 5021B03120C3454FD725DF24DC8088B77B6AFC2308B468E69E155DBA71EB70AD09CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBE70 Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b68c1289f80acfe2ff88429de3946033a3505c638deb2e2f67ed982bde11274
                                                                  • Instruction ID: cb3670d647bcb21a1c7f08325c4c4734628bf2a5f5c5d0f82b400be86a43cefd
                                                                  • Opcode Fuzzy Hash: 4b68c1289f80acfe2ff88429de3946033a3505c638deb2e2f67ed982bde11274
                                                                  • Instruction Fuzzy Hash: EE3154346173C1CFC766AB74D0183087FB3AB4A205F1588AAEA95C7393D639954AD732
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F4590 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 18f4c8f2ef9dc0ceccb0d6f76edf882f5adf9a5e0775845a213bb4e0675e0a1e
                                                                  • Instruction ID: 5cd02c2e3454c5d84be5890032f19793ae01f0ddff84ccb41eee54e15ee5e683
                                                                  • Opcode Fuzzy Hash: 18f4c8f2ef9dc0ceccb0d6f76edf882f5adf9a5e0775845a213bb4e0675e0a1e
                                                                  • Instruction Fuzzy Hash: 3421F5302097014FD765EF24E40066A7BE7EFC5308B10CD6DD259CBA65DB749805CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FCFE0 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f6d2e5fdb153817b478d3b97eefadb54e71f54078a2fcd943d8029087496842
                                                                  • Instruction ID: dd8bce40f6af792e76a1ec860082ee74ef5c8f7bd5a0790fb156ac278b34ce09
                                                                  • Opcode Fuzzy Hash: 7f6d2e5fdb153817b478d3b97eefadb54e71f54078a2fcd943d8029087496842
                                                                  • Instruction Fuzzy Hash: DD11B1303193419FE3A55B74AC5462A7BBBFBC5315B108D2DE742C7B81CA729C0ACB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F45E0 Relevance: .1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 599d6d32fd9c9bcb368dc3cc23fe05f5a925cd9d8bc7009b9d7e633ab26ea4f7
                                                                  • Instruction ID: e7f64e7bc289c16d78ec9f6df4dd32890ae284b63cbde4857b649aa03e7c8e99
                                                                  • Opcode Fuzzy Hash: 599d6d32fd9c9bcb368dc3cc23fe05f5a925cd9d8bc7009b9d7e633ab26ea4f7
                                                                  • Instruction Fuzzy Hash: 8A11D2342153044FD764AF34D804A6B3BF7AFC1704F458D68E1468BA91DF78990ACBA6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F4217 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: de3d96c7bf5e6bfc924fe327d9d7b0e596c2d5e202a6fa3f47d9c97bd098c7f8
                                                                  • Instruction ID: a6abdec2885251789f1e5ed6f144cacbef8762b69ccf5a92e8035e7ca283e4ad
                                                                  • Opcode Fuzzy Hash: de3d96c7bf5e6bfc924fe327d9d7b0e596c2d5e202a6fa3f47d9c97bd098c7f8
                                                                  • Instruction Fuzzy Hash: E611E63020A2815FD746A734E95057E3BB7FFD6201315CD29D246CBA82DF307C068791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F339F Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 10410e39961397d15686d0e0ad7bc49c29c14c659a3521c178ab7c0dcc27eed1
                                                                  • Instruction ID: 3553b2f900baae1326f177f9cc432e2fa491d791ab3b58c87a45624f71fcec9d
                                                                  • Opcode Fuzzy Hash: 10410e39961397d15686d0e0ad7bc49c29c14c659a3521c178ab7c0dcc27eed1
                                                                  • Instruction Fuzzy Hash: 6D11E6312093419FE3915F65E408AA77BB9EBC1304F008D6EE29AC7691C67298058BE2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F42DB Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8f680a8a2515e71ffa0adb6e5916431728b0c176a7f866be33dae063e648c041
                                                                  • Instruction ID: 8f11128456e8db693c445b6d600a25df8109f17aa74edbf5b17d4f9f9555d6d0
                                                                  • Opcode Fuzzy Hash: 8f680a8a2515e71ffa0adb6e5916431728b0c176a7f866be33dae063e648c041
                                                                  • Instruction Fuzzy Hash: 8711BF342063914FD795AB34E81466F3BFBABC2315B05CD6DE242CBA51CF71AD0687A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBC10 Relevance: .1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 21f2a40e268aa259cfc57afbf3ff684980ca9279aa95389b85ad8f3c4678b095
                                                                  • Instruction ID: b98c1c9ceff8da97006b811c13e46d59ff245c0561228722fc2c62b891a14dc0
                                                                  • Opcode Fuzzy Hash: 21f2a40e268aa259cfc57afbf3ff684980ca9279aa95389b85ad8f3c4678b095
                                                                  • Instruction Fuzzy Hash: EC119D3071460A9FC744EF24D88164EB3B6FFC5204B508D24D1159BAA0DB70AD0987D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0090D4D3 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526095047.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_90d000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cda654458de76cb64107e5579bd44183674724ce0e843b11be44c764efc24bd5
                                                                  • Instruction ID: 5af63f2aa0989f36807b6042c8757580768a3e105a4aa22aa0f326439518970c
                                                                  • Opcode Fuzzy Hash: cda654458de76cb64107e5579bd44183674724ce0e843b11be44c764efc24bd5
                                                                  • Instruction Fuzzy Hash: 2611D376404280CFCB11CF54D9C4B16BF71FB98324F2886A9EC050B65AC33AD856CBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F7558 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2c95ec3d4f09406f79919589899aab044e26c4019640524785aabc17044c2b1f
                                                                  • Instruction ID: 898ea215532c91ed046283ea68813ee408e50cffabf4bbdff7cb51c257892ce5
                                                                  • Opcode Fuzzy Hash: 2c95ec3d4f09406f79919589899aab044e26c4019640524785aabc17044c2b1f
                                                                  • Instruction Fuzzy Hash: 6F01DB34A193448FC7559B78A8240757B77AF8B2047198CEBD685CB352EA35CD06CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FCFF0 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0e4538b946a2a7eea37e8debb82359567f860ba25c490c1fd431c16f4e355771
                                                                  • Instruction ID: 99eee0bd6e768cbd33863f631d836a3c4bf0223250f5111134a09fd8501c6e03
                                                                  • Opcode Fuzzy Hash: 0e4538b946a2a7eea37e8debb82359567f860ba25c490c1fd431c16f4e355771
                                                                  • Instruction Fuzzy Hash: 3A0139303113019FD3A45B74A85872AB7ABEBC4219B548D2DE747C7785DBB1AC0A9B40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F4238 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8ca29f429cc07f5535566c3c3bd8d60d3cb5a4908be8c1d7a15c6664adec029f
                                                                  • Instruction ID: bcf747e9019f46d767bd24f5494983729674265913d7244326bf81fd23012af8
                                                                  • Opcode Fuzzy Hash: 8ca29f429cc07f5535566c3c3bd8d60d3cb5a4908be8c1d7a15c6664adec029f
                                                                  • Instruction Fuzzy Hash: 4C017C312062055FAA89BB34E55496E33BBFFC4215355CE2CE20BCBB84DE70BD068792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBC00 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 56c6905aa0887e480057db1cf15781f39e5fcd6a09d130837b8b3ae687c4eeeb
                                                                  • Instruction ID: f145170722cd62bcf14e8d2d0b5352a6a5fb724c2eb2a78b2cb692c07fdf8509
                                                                  • Opcode Fuzzy Hash: 56c6905aa0887e480057db1cf15781f39e5fcd6a09d130837b8b3ae687c4eeeb
                                                                  • Instruction Fuzzy Hash: 4F012430A1430A9FC7509F74DC41A8BB7B9FBC2324F104E29D1519BA90DB70AC0687E0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FC760 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1cfc67040e42080f5ff39885367ff1588a5703b3252cf08158c354f9f39803aa
                                                                  • Instruction ID: 1a13d3cb5dbfd1d1545b2f30fd847610d1609e8cbf14cd3c1048363b20a76fe3
                                                                  • Opcode Fuzzy Hash: 1cfc67040e42080f5ff39885367ff1588a5703b3252cf08158c354f9f39803aa
                                                                  • Instruction Fuzzy Hash: 6D01BC342046058FC754CF29E944C5AB7B6BFC5314706C86AE641CBB22DB70FC01CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F3513 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 937082e30f1fa620fce3c09b35e2c8213e439658ea4600724d54af9a838cbacd
                                                                  • Instruction ID: 034e3860bde21fb6b8593ed5d2a1994f61342ec3cf9d74d5f25a08148cb65ef8
                                                                  • Opcode Fuzzy Hash: 937082e30f1fa620fce3c09b35e2c8213e439658ea4600724d54af9a838cbacd
                                                                  • Instruction Fuzzy Hash: 2E01A27090A244EFCB40EFB8E85589C7FF6EF86204B1188A9D509E7750DE356F04CBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F0FD1 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 86fc3adb1894b9e53284d869e26e00cd8f88f204f37850f573eec88177ae4ac2
                                                                  • Instruction ID: 1ea1786600b13afb09835667055ba8726e95415d5d3e829072bee05f8a854067
                                                                  • Opcode Fuzzy Hash: 86fc3adb1894b9e53284d869e26e00cd8f88f204f37850f573eec88177ae4ac2
                                                                  • Instruction Fuzzy Hash: 19F0AF70F64555CF8B94DBB8A9044EE7BF4BF88210B118569E91AE7350EB354E12CFC0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBAD0 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 781c2542e029c7143fd6155467abfb464e398c4dc33609ba6e9488f48f6a8006
                                                                  • Instruction ID: 18f25794d8b14633ba7426388a6b8ff59032074b6dfc515556761dc05ccd8f63
                                                                  • Opcode Fuzzy Hash: 781c2542e029c7143fd6155467abfb464e398c4dc33609ba6e9488f48f6a8006
                                                                  • Instruction Fuzzy Hash: 43016D70A012199FDB90DFA9D804ADEBFF5FF89710B004A1AD559E3241E7306A4A8FE5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FD70F Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 59e02f3004c67021be431a86a26aadfacb20cbb1f52d2971bedb7018cba9a7d5
                                                                  • Instruction ID: ad90d43b09533e4be5a07b230fab4756143bc8dc36935cb6010df41858b8362d
                                                                  • Opcode Fuzzy Hash: 59e02f3004c67021be431a86a26aadfacb20cbb1f52d2971bedb7018cba9a7d5
                                                                  • Instruction Fuzzy Hash: A2F02435F01308CBCB048BA8D8545CEBBB6DFC6300F10016AD509AB751DA305D05CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FD9F1 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ee522c18a584e819fb8b520d792a4b75fffa1106fba7fe823bd51e1842c853b0
                                                                  • Instruction ID: 6f34b18f0b764170e44128fa03fe5c8af8af0c598edae107ff4b74dea06aa277
                                                                  • Opcode Fuzzy Hash: ee522c18a584e819fb8b520d792a4b75fffa1106fba7fe823bd51e1842c853b0
                                                                  • Instruction Fuzzy Hash: 5AF09E32B182045FC7148F29D8547A7FFB5EFC5220F0441BAD64A8B352DB319C44CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F3520 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0fd5dfa8be2473114b902d88112e08108bef9d27516c8a73d69fb1916297b0c4
                                                                  • Instruction ID: 749236b3c5e07da8078711d99fbfec043c3be36178140a921b113ead7075010f
                                                                  • Opcode Fuzzy Hash: 0fd5dfa8be2473114b902d88112e08108bef9d27516c8a73d69fb1916297b0c4
                                                                  • Instruction Fuzzy Hash: 31F08C70A02208EFCB40EFB4E85998CBBF2EB85208B1088A9D509E7750DF346F04CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBA70 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e1695aa10b4f23d608c33ac0bf2a25a38f3f415d6c63a8295d2769e1bf39b959
                                                                  • Instruction ID: 7c412be56c7490806e3603c003d52fb41907273de339326ec4f650e7e7bdd278
                                                                  • Opcode Fuzzy Hash: e1695aa10b4f23d608c33ac0bf2a25a38f3f415d6c63a8295d2769e1bf39b959
                                                                  • Instruction Fuzzy Hash: 9DF0E5352093442FD3511B65BC59A4A7F6EDBCA310F05886AF205C7292EEA50D0583B2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FD6DD Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a06b7ea4043bdf80ec42b9b2aecf6efefbda24c6a71d099f01f33cc194e83ad
                                                                  • Instruction ID: 1f0cdfc25a2355923225ef7a6320997b41792fe05fcbc4ee12b95575801333c2
                                                                  • Opcode Fuzzy Hash: 4a06b7ea4043bdf80ec42b9b2aecf6efefbda24c6a71d099f01f33cc194e83ad
                                                                  • Instruction Fuzzy Hash: 2301B234A15219AFEF41CB90D894FEEBB72BF48314F204505EA06BB2A1C7759944DBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBAE0 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b03045e015a4333505481e0955885985c80f7b5691e88ceba49b91828ffe19f0
                                                                  • Instruction ID: 55afc64a7a19ba3e34af4b905da82dd1ceeab1d4ed8b8d163f7afad5d7306b47
                                                                  • Opcode Fuzzy Hash: b03045e015a4333505481e0955885985c80f7b5691e88ceba49b91828ffe19f0
                                                                  • Instruction Fuzzy Hash: ABF01D70A00219CFDB94DF69D8049DEBBF5FF88710F00492AD519E3310DB706A098BD4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F8274 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 108468d20ee910f5d02d3ec6b58329bff1ff009378b7a527f2643edc2ce4867a
                                                                  • Instruction ID: 70b6392ee77f28880549ddeb963e4e6bd2435630441cca69b61f17df8e838ecd
                                                                  • Opcode Fuzzy Hash: 108468d20ee910f5d02d3ec6b58329bff1ff009378b7a527f2643edc2ce4867a
                                                                  • Instruction Fuzzy Hash: 7CF0E23054EB908FD395EB799C4505A7BF2EDC6200340CD59C286CBDA1DB20A90AC391
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F3358 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e0ad660b28ecb5b541335b92be35aa340111dcfb076d10d556765530b89e68d3
                                                                  • Instruction ID: 5c252879b1af301788ca6797424f0d849bd510a42306d0dba0d1eaeccdc5a855
                                                                  • Opcode Fuzzy Hash: e0ad660b28ecb5b541335b92be35aa340111dcfb076d10d556765530b89e68d3
                                                                  • Instruction Fuzzy Hash: 22E0E5316093406FCB15576CA8148AE7BB7FEC1310305886AE606CB682CF315D0287A2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBCD0 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1aea8e4f639a05f847cf6ce5c43292444262fc41e4742d24a7bdb9be458240f
                                                                  • Instruction ID: 478c2f8529994ee2c8bebdb70c53bf0e197df0e9acd3a5b2537c0f5f68896a49
                                                                  • Opcode Fuzzy Hash: c1aea8e4f639a05f847cf6ce5c43292444262fc41e4742d24a7bdb9be458240f
                                                                  • Instruction Fuzzy Hash: 0AF0E93260A5528FD305CF24C444949BBB6BF85620309819AE5498BB22CB14ED52C7C0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBCE0 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 78719fd536a3e4b26e115e737a040309b102300b1b8cc33e01f1f8c28124ec51
                                                                  • Instruction ID: b34df0af7b257490ce33f6e22b89799b2089fe6461e4552a33a0d11fc10047f5
                                                                  • Opcode Fuzzy Hash: 78719fd536a3e4b26e115e737a040309b102300b1b8cc33e01f1f8c28124ec51
                                                                  • Instruction Fuzzy Hash: 67F065327059659FD3159F29D444D49B7AAAF856203158259E54997721CF20FD41C7C0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F4348 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab6b03b1e2b4baf0db4f6d9477825d492cb1da02759e6a962ba1ad12507a5dcc
                                                                  • Instruction ID: 780edc2e907009847c92cc237ba67f24fbfee636377b9deb31367110081d7ded
                                                                  • Opcode Fuzzy Hash: ab6b03b1e2b4baf0db4f6d9477825d492cb1da02759e6a962ba1ad12507a5dcc
                                                                  • Instruction Fuzzy Hash: 19F09AB0502B048FD324DF26E508562BBF7FB88700B00CA2EE44AC2B24DF74A409CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FA9E4 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef7bbe3e5a63e76eae728f9e2844e57f6af003e644251028daabd0daeef371bf
                                                                  • Instruction ID: c91f2d0680cd2145baf5ec7cbb2d052a1faad536e3255389a3e0148e569682a2
                                                                  • Opcode Fuzzy Hash: ef7bbe3e5a63e76eae728f9e2844e57f6af003e644251028daabd0daeef371bf
                                                                  • Instruction Fuzzy Hash: 17E0653251D3D05EC38697B419244DA2F764A82010B0A45EBD189CB593D55808488362
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBA80 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ec697a2d067b48737578de8b511bb0a2b9e5e05dc73525147c05ed2746f3d328
                                                                  • Instruction ID: 758f80e65069c14335505bb552a7c7b7f76f02c526f9289cf3e5670869e98aa9
                                                                  • Opcode Fuzzy Hash: ec697a2d067b48737578de8b511bb0a2b9e5e05dc73525147c05ed2746f3d328
                                                                  • Instruction Fuzzy Hash: 0CE026313052042BD3146B6ABC4995F7F6EDBC9320700C839F70AC3382DE751D0582B2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F045A Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9ec8fabde528034b0d97d1aa49706ba9211011a8288003237475e34ac284427
                                                                  • Instruction ID: 66b704631c5f3107519c1f0c08ea4c1f42b318ca6e99e4f4b8f9d1ca4647726e
                                                                  • Opcode Fuzzy Hash: b9ec8fabde528034b0d97d1aa49706ba9211011a8288003237475e34ac284427
                                                                  • Instruction Fuzzy Hash: 3DE0D830A0E348AFC701DB78AC114DE7FB4DB8230871145EEE009D72A2C6341F05DB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F6440 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 944b2bd44c04d3e85a6eb2c3d5e2b575b2142a60dbabbaad64491a69b9f5defc
                                                                  • Instruction ID: 907c322b7c979995b1affa209781d4c179e0a9556655f23f14bb098f74bd89a8
                                                                  • Opcode Fuzzy Hash: 944b2bd44c04d3e85a6eb2c3d5e2b575b2142a60dbabbaad64491a69b9f5defc
                                                                  • Instruction Fuzzy Hash: 21E02B3051C3904FEBE16B20AC685D83B61EBC7304F004E6DFA49CF189C7685E024793
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F4E08 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 282aaba0651bd4c48374d36e5c683e0c3bf6c3f0f59cd4a919b2fd9a4aadab14
                                                                  • Instruction ID: 22a3922e14160def82a7406ee2161244ba5a695bc8e3e1105f4dc1f55ba3fe9a
                                                                  • Opcode Fuzzy Hash: 282aaba0651bd4c48374d36e5c683e0c3bf6c3f0f59cd4a919b2fd9a4aadab14
                                                                  • Instruction Fuzzy Hash: EDE065345282615BDB968B24AC146AA3BA5E7C2104B05469AF740DFD56C71C4E468B92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FA818 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2c2807c68ba6ec6339d210e34149250c3e28af4d29d4ff9a9d66fc68d1092b6a
                                                                  • Instruction ID: a449ec4600d05d9d6d80cf55e4733f3f8bb72fff948734b4ada5b36641a2303e
                                                                  • Opcode Fuzzy Hash: 2c2807c68ba6ec6339d210e34149250c3e28af4d29d4ff9a9d66fc68d1092b6a
                                                                  • Instruction Fuzzy Hash: 65E02630B152D0CFC7A19B3896180F53FB4AF0620034504EBE58AC7AA2EA60CC07CBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F8228 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ec3e9a39776f54ed9a637595281b4e0af89fea51816f85894c8f70d445feaccc
                                                                  • Instruction ID: 81195f860452da2ed6ffcfc571cc4f4aa21013b77f52eca1e20c2d015935c306
                                                                  • Opcode Fuzzy Hash: ec3e9a39776f54ed9a637595281b4e0af89fea51816f85894c8f70d445feaccc
                                                                  • Instruction Fuzzy Hash: 25E0923050AB104FC318EB39E94644AB7EA9EC5200340CE29D25AC7D50DF70BD0986A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FBA28 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fea4953a9ba92ed65c9cb54064c9734d9f44cbc3381c8e63acf5a9725605b7f5
                                                                  • Instruction ID: 38fefccf217a749e750992d7138f8b8b09201e52ec712d3232e9b3305fe110b4
                                                                  • Opcode Fuzzy Hash: fea4953a9ba92ed65c9cb54064c9734d9f44cbc3381c8e63acf5a9725605b7f5
                                                                  • Instruction Fuzzy Hash: 98E09A74A093449FD794DF28D8167057BE2AB84300F11C449E085CB257D73C8B41CB42
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FDB38 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0828fdb2efad5722d7ce060915afaf0754eb0c6aba3a11024c47bf929dd037a4
                                                                  • Instruction ID: e05dfae549f584bb8c86704ab8d86e97a06dc73c67e697f752f28e41e4e1b8a6
                                                                  • Opcode Fuzzy Hash: 0828fdb2efad5722d7ce060915afaf0754eb0c6aba3a11024c47bf929dd037a4
                                                                  • Instruction Fuzzy Hash: C1E092B4D0420D9F8B94DFA9D8416BEBFF4AB58201F10816AE918E2240E7345A51CFD5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F0468 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 38ec79012322cc8b9bd289144c953a4e4fa8cc24a1391e24b18c478bb7b22177
                                                                  • Instruction ID: 725d572c8c07124f3f456fca1de2406e5c60f5fb442164c5b157b3183ec444d9
                                                                  • Opcode Fuzzy Hash: 38ec79012322cc8b9bd289144c953a4e4fa8cc24a1391e24b18c478bb7b22177
                                                                  • Instruction Fuzzy Hash: BCD01730E0520CEFCB40DFA4E90159DBBF9EB85308B5189A8D408E3660EA312F00EB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FAA00 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d9189c62fc350ec9d0e3f0c7e45088dcc2c112762a51c1d662a1cafb15379883
                                                                  • Instruction ID: 0eb05500219464b413bdb29f4e2eddc00ccf01e9aead388484010ac178d498be
                                                                  • Opcode Fuzzy Hash: d9189c62fc350ec9d0e3f0c7e45088dcc2c112762a51c1d662a1cafb15379883
                                                                  • Instruction Fuzzy Hash: EDD022336083282B0748DAE858448CE7B9DCA84130F0144ABC209C7280EE74190802D5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065F0440 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e5c454941de924673ae6c35444e37fc352b60b946b2a117da787922d5311ce9
                                                                  • Instruction ID: fe7628273e7defb4903c7106d5825646f23874a027188f7a411c7382a8486029
                                                                  • Opcode Fuzzy Hash: 7e5c454941de924673ae6c35444e37fc352b60b946b2a117da787922d5311ce9
                                                                  • Instruction Fuzzy Hash: 4CC04C6224F3E1AEDB1351256C256D62FB4984216834A0497D454CA153C20D854A82B2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 065FA9D0 Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.526587249.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_65f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 94bb4ad6c4e8c7697ec09d4b36f004304c777dc517d59ea099282f971d7b2fb3
                                                                  • Instruction ID: 735f60f3eb2979058eab5f4e19ed0e7f7d782a0cc2418932a06caa572a9ed2c3
                                                                  • Opcode Fuzzy Hash: 94bb4ad6c4e8c7697ec09d4b36f004304c777dc517d59ea099282f971d7b2fb3
                                                                  • Instruction Fuzzy Hash: 0DC0123682E3C14EDFD393780A640583F22280B2A075A0AC3E2D4CA4E38A00484DD723
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%