Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5Qq54zuREl.exe

Overview

General Information

Sample Name:5Qq54zuREl.exe
Analysis ID:699572
MD5:ef105c04e69b202408cae62ab05ed460
SHA1:6a4b822478fc7ee87ce9f5d7c4c38eca71c8174b
SHA256:6f03dfd71abd06402371157eac912ffeae7871a6d93b8d2dad3242ae59644fcf
Tags:exe
Infos:

Detection

RedLine
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains an invalid checksum
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 5Qq54zuREl.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\5Qq54zuREl.exe" MD5: EF105C04E69B202408CAE62AB05ED460)
    • AppLaunch.exe (PID: 6816 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • WerFault.exe (PID: 6956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 252 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["195.54.170.157:16525"], "Bot Id": "1874386002", "Authorization Header": "1ed306ce33b7f6bc7de430ec8e4d8d9f"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_3d9371fdunknownunknown
    • 0x13305:$a1: get_encrypted_key
    • 0x129fd:$a2: get_PassedPaths
    • 0x1142a:$a3: ChromeGetLocalName
    • 0x12c08:$a4: GetBrowsers
    • 0x19638:$a5: Software\Valve\SteamLogin Data
    • 0x18ed8:$a6: %appdata%\
    • 0x12722:$a7: ScanPasswords
    00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_3d9371fdunknownunknown
      • 0x13715:$a1: get_encrypted_key
      • 0x12e0d:$a2: get_PassedPaths
      • 0x1183a:$a3: ChromeGetLocalName
      • 0x13018:$a4: GetBrowsers
      • 0x19a48:$a5: Software\Valve\SteamLogin Data
      • 0x192e8:$a6: %appdata%\
      • 0x12b32:$a7: ScanPasswords
      00000000.00000000.316874184.0000000001158000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.3.5Qq54zuREl.exe.2730000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0.3.5Qq54zuREl.exe.2730000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x19ca8:$pat14: , CommandLine:
          • 0x12cce:$v2_1: ListOfProcesses
          • 0x12a8e:$v4_3: base64str
          • 0x136d3:$v4_4: stringKey
          • 0x1123f:$v4_5: BytesToStringConverted
          • 0x1033a:$v4_6: FromBase64
          • 0x117b2:$v4_8: procName
          • 0x11ac8:$v5_1: DownloadAndExecuteUpdate
          • 0x12965:$v5_2: ITaskProcessor
          • 0x11ab6:$v5_3: CommandLineUpdate
          • 0x11aa7:$v5_4: DownloadUpdate
          • 0x11eac:$v5_5: FileScanning
          • 0x11460:$v5_7: RecordHeaderField
          • 0x110c8:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
          0.3.5Qq54zuREl.exe.2730000.0.unpackWindows_Trojan_RedLineStealer_3d9371fdunknownunknown
          • 0x13705:$a1: get_encrypted_key
          • 0x12dfd:$a2: get_PassedPaths
          • 0x1182a:$a3: ChromeGetLocalName
          • 0x13008:$a4: GetBrowsers
          • 0x19a38:$a5: Software\Valve\SteamLogin Data
          • 0x192d8:$a6: %appdata%\
          • 0x12b22:$a7: ScanPasswords
          1.0.AppLaunch.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            1.0.AppLaunch.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x19ca8:$pat14: , CommandLine:
            • 0x12cce:$v2_1: ListOfProcesses
            • 0x12a8e:$v4_3: base64str
            • 0x136d3:$v4_4: stringKey
            • 0x1123f:$v4_5: BytesToStringConverted
            • 0x1033a:$v4_6: FromBase64
            • 0x117b2:$v4_8: procName
            • 0x11ac8:$v5_1: DownloadAndExecuteUpdate
            • 0x12965:$v5_2: ITaskProcessor
            • 0x11ab6:$v5_3: CommandLineUpdate
            • 0x11aa7:$v5_4: DownloadUpdate
            • 0x11eac:$v5_5: FileScanning
            • 0x11460:$v5_7: RecordHeaderField
            • 0x110c8:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
            Click to see the 13 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: 5Qq54zuREl.exeReversingLabs: Detection: 70%
            Source: 5Qq54zuREl.exeVirustotal: Detection: 55%Perma Link
            Source: 5Qq54zuREl.exeMetadefender: Detection: 44%Perma Link
            Source: 1.0.AppLaunch.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["195.54.170.157:16525"], "Bot Id": "1874386002", "Authorization Header": "1ed306ce33b7f6bc7de430ec8e4d8d9f"}
            Source: 5Qq54zuREl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 5Qq54zuREl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdb125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb{mw source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.ServiceModel.pdbpdbdel.pdbI source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdbH source: AppLaunch.exe, 00000001.00000002.707657974.000000000529B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbr} source: AppLaunch.exe, 00000001.00000002.707672565.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.707657974.000000000529B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.707672565.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdba source: AppLaunch.exe, 00000001.00000002.707672565.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \Downloads\NewPublish\udezfxe44vl12u\main.pdb source: 5Qq54zuREl.exe
            Source: global trafficTCP traffic: 192.168.2.5:49720 -> 195.54.170.157:16525
            Source: Joe Sandbox ViewIP Address: 195.54.170.157 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: unknownTCP traffic detected without corresponding DNS query: 195.54.170.157
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
            Source: AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
            Source: 5Qq54zuREl.exe, 5Qq54zuREl.exe, 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmp, 5Qq54zuREl.exe, 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.3.5Qq54zuREl.exe.2730000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.3.5Qq54zuREl.exe.2730000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 1.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 1.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.0.5Qq54zuREl.exe.1080000.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.0.5Qq54zuREl.exe.1080000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.0.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.0.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.2.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.2.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 0.0.5Qq54zuREl.exe.1080000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0.0.5Qq54zuREl.exe.1080000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000000.00000000.316874184.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
            Source: 5Qq54zuREl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.3.5Qq54zuREl.exe.2730000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.3.5Qq54zuREl.exe.2730000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 1.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 1.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.0.5Qq54zuREl.exe.1080000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.0.5Qq54zuREl.exe.1080000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.0.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.0.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.2.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.2.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 0.0.5Qq54zuREl.exe.1080000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0.0.5Qq54zuREl.exe.1080000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000000.00000000.316874184.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
            Source: 5Qq54zuREl.exeBinary or memory string: OriginalFilename vs 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exe, 00000000.00000000.317875975.000000000117F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameilasm.exeT vs 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exe, 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFireworms.exe4 vs 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exe, 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFireworms.exe4 vs 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exeBinary or memory string: OriginalFilenameilasm.exeT vs 5Qq54zuREl.exe
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 252
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_051FEF081_2_051FEF08
            Source: 5Qq54zuREl.exeStatic PE information: invalid certificate
            Source: 5Qq54zuREl.exeReversingLabs: Detection: 70%
            Source: 5Qq54zuREl.exeVirustotal: Detection: 55%
            Source: 5Qq54zuREl.exeMetadefender: Detection: 44%
            Source: 5Qq54zuREl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\5Qq54zuREl.exe "C:\Users\user\Desktop\5Qq54zuREl.exe"
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 252
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
            Source: 0.3.5Qq54zuREl.exe.2730000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
            Source: 1.0.AppLaunch.exe.400000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6800
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER11AE.tmpJump to behavior
            Source: classification engineClassification label: mal64.troj.winEXE@4/4@0/1
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 5Qq54zuREl.exeStatic file information: File size 1067936 > 1048576
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 5Qq54zuREl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: 5Qq54zuREl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdb125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb{mw source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.ServiceModel.pdbpdbdel.pdbI source: AppLaunch.exe, 00000001.00000002.707479773.0000000005233000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdbH source: AppLaunch.exe, 00000001.00000002.707657974.000000000529B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbr} source: AppLaunch.exe, 00000001.00000002.707672565.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.707657974.000000000529B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000001.00000002.707672565.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdba source: AppLaunch.exe, 00000001.00000002.707672565.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \Downloads\NewPublish\udezfxe44vl12u\main.pdb source: 5Qq54zuREl.exe
            Source: 5Qq54zuREl.exeStatic PE information: real checksum: 0x10b200 should be: 0x109448
            Source: 5Qq54zuREl.exeStatic PE information: section name: .00cfg
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6820Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeAPI coverage: 1.9 %
            Source: AppLaunch.exe, 00000001.00000002.707705065.00000000052BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_010C912A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_010C912A
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_010921E0 LdrInitializeThunk,VirtualAlloc,LdrInitializeThunk,LdrInitializeThunk,0_2_010921E0
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_010C912A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_010C912A
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_010C94E6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_010C94E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: GetLocaleInfoEx,0_2_010C7899
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_010C98BB cpuid 0_2_010C98BB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\5Qq54zuREl.exeCode function: 0_2_010C8FC2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_010C8FC2

            Stealing of Sensitive Information

            barindex
            Yara detected RedLine Stealer
            Source: Yara matchFile source: 0.3.5Qq54zuREl.exe.2730000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.1080000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.1080000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.316874184.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 5Qq54zuREl.exe PID: 6800, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6816, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RedLine Stealer
            Source: Yara matchFile source: 0.3.5Qq54zuREl.exe.2730000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.1080000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.5Qq54zuREl.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.5Qq54zuREl.exe.1080000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.316874184.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 5Qq54zuREl.exe PID: 6800, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6816, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath Interception11
            Process Injection            		2
            Virtualization/Sandbox Evasion            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory21
            Security Software Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
            Process Injection            		Security Account Manager2
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Obfuscated Files or Information            		NTDS33
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            5Qq54zuREl.exe70%ReversingLabsWin32.Trojan.Smokeloader
            5Qq54zuREl.exe56%VirustotalBrowse
            5Qq54zuREl.exe44%MetadefenderBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.0.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1251247Download File
            0.3.5Qq54zuREl.exe.2730000.0.unpack100%AviraHEUR/AGEN.1251247Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
            http://tempuri.org/0%URL Reputationsafe
            http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id90%URL Reputationsafe
            http://tempuri.org/Entity/Id80%URL Reputationsafe
            http://tempuri.org/Entity/Id80%URL Reputationsafe
            http://tempuri.org/Entity/Id50%URL Reputationsafe
            http://tempuri.org/Entity/Id23Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id40%URL Reputationsafe
            http://tempuri.org/Entity/Id70%URL Reputationsafe
            http://tempuri.org/Entity/Id60%URL Reputationsafe
            http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id17Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id20Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id13Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id4Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
            https://api.ip.sb/ip0%URL Reputationsafe
            http://tempuri.org/Entity/Id7Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id11Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id200%URL Reputationsafe
            http://tempuri.org/Entity/Id22Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id210%URL Reputationsafe
            http://tempuri.org/Entity/Id210%URL Reputationsafe
            http://tempuri.org/Entity/Id220%URL Reputationsafe
            http://tempuri.org/Entity/Id230%URL Reputationsafe
            http://tempuri.org/Entity/Id240%URL Reputationsafe
            http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id10%URL Reputationsafe
            http://tempuri.org/Entity/Id10%URL Reputationsafe
            http://tempuri.org/Entity/Id30%URL Reputationsafe
            http://tempuri.org/Entity/Id20%URL Reputationsafe
            http://tempuri.org/Entity/Id18Response0%URL Reputationsafe
            http://tempuri.org/Entity/0%URL Reputationsafe
            http://tempuri.org/Entity/Id3Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id100%URL Reputationsafe
            http://tempuri.org/Entity/Id110%URL Reputationsafe
            http://tempuri.org/Entity/Id120%URL Reputationsafe
            http://tempuri.org/Entity/Id120%URL Reputationsafe
            http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id130%URL Reputationsafe
            http://tempuri.org/Entity/Id140%URL Reputationsafe
            http://tempuri.org/Entity/Id150%URL Reputationsafe
            http://tempuri.org/Entity/Id160%URL Reputationsafe
            http://tempuri.org/Entity/Id170%URL Reputationsafe
            http://tempuri.org/Entity/Id180%URL Reputationsafe
            http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
            http://tempuri.org/Entity/Id190%URL Reputationsafe
            http://tempuri.org/Entity/Id14Response0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultLAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://tempuri.org/AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id9AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id8AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id5AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id23ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id4AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id7AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id6AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://tempuri.org/Entity/Id17ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://tempuri.org/Entity/Id20ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id13ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id4ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ip.sb/ip5Qq54zuREl.exe, 5Qq54zuREl.exe, 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmp, 5Qq54zuREl.exe, 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id7ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id11ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id20AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id22ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id21AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id22AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id23AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id24AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id24ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id1AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/Id3AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/Id2AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/Id18ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id3ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/rmAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id10AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/Entity/Id11AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id13AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id14AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id15AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id16AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id17AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id18AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id19AppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/actor/nextAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id14ResponseAppLaunch.exe, 00000001.00000002.708165332.0000000006DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        195.54.170.157
                                        		unknownunknown
                                        		51171VALICOM-ASPTfalse

                                        General Information

                                        Joe Sandbox Version:36.0.0 Rainbow Opal
                                        Analysis ID:699572
                                        Start date and time:2022-09-08 12:55:46 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 1s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:5Qq54zuREl.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Run name:Run with higher sleep bypass
                                        Number of analysed new started processes analysed:20
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal64.troj.winEXE@4/4@0/1
                                        EGA Information:
                                        • Successful, ratio: 50%
                                        HDC Information:
                                        • Successful, ratio: 100% (good quality ratio 96.8%)
                                        • Quality average: 78.9%
                                        • Quality standard deviation: 27.5%
                                        HCA Information:
                                        • Successful, ratio: 75%
                                        • Number of executed functions: 67
                                        • Number of non-executed functions: 7
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Sleeps bigger than 300000ms are automatically reduced to 1000ms

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 20.189.173.20
                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, eudb.ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                        • Execution Graph export aborted for target AppLaunch.exe, PID 6816 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        195.54.170.157file.exeGet hashmaliciousBrowse
                                          q1wLT3xKiY.exeGet hashmaliciousBrowse
                                            9n6ctoq7cn.exeGet hashmaliciousBrowse
                                              xZ4q0nNSPX.exeGet hashmaliciousBrowse
                                                9n6ctoq7cn.exeGet hashmaliciousBrowse
                                                  WSkT8d093C.exeGet hashmaliciousBrowse
                                                    em1B8DcC72.exeGet hashmaliciousBrowse
                                                      JMDc707Z03.exeGet hashmaliciousBrowse
                                                        22nuoItfxs.exeGet hashmaliciousBrowse
                                                          l5Pmw9b4cO.exeGet hashmaliciousBrowse
                                                            FgHKF9V3FB.exeGet hashmaliciousBrowse
                                                              2JxF8anOVP.exeGet hashmaliciousBrowse

                                                                Domains

                                                                No context

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                VALICOM-ASPT5Qq54zuREl.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                file.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                q1wLT3xKiY.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                9n6ctoq7cn.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                xZ4q0nNSPX.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                9n6ctoq7cn.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                WSkT8d093C.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                em1B8DcC72.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                JMDc707Z03.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                22nuoItfxs.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                l5Pmw9b4cO.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                FgHKF9V3FB.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157
                                                                2JxF8anOVP.exeGet hashmaliciousBrowse
                                                                • 195.54.170.157

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5Qq54zuREl.exe_619c0ee76e11c7d9df14d0addcd6c42ff8511d_33363eb9_1b6a2371\Report.wer

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):65536
                                                                Entropy (8bit):0.6942044114087713
                                                                Encrypted:false
                                                                SSDEEP:96:7iuFK5IGEfZgy4lFxoI7RW6tpXIQcQvc6QcEDMcw3Dr+HbHg/8BRTf3OyWZAXGnv:Z+LExgy+HBUZMXIjuq/u7sAnS274ItP
                                                                MD5:41B6DF60B7C38C441A6994A5BF49A6F7
                                                                SHA1:7EACB9C2C14E3DFB16D0253DDC0E90C0391D2555
                                                                SHA-256:53DD2B75C244060F39149F77B985EB930326BED53026F19224D9216F40C66988
                                                                SHA-512:05437A894D957E431BC3170358AB799872BC174E11B365926518462A59AF6562E74BD0E060676C8AC19B65838092567445A7947A4402394227AB69C2D822E59E
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.7.1.4.0.6.1.3.5.5.1.8.2.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.7.1.4.0.6.1.6.4.8.9.3.4.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.d.a.1.9.9.9.-.d.1.a.d.-.4.9.8.7.-.a.c.9.3.-.2.b.1.f.6.a.d.3.9.c.a.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.3.2.a.0.e.f.-.b.9.8.0.-.4.8.3.4.-.8.e.f.8.-.a.b.6.e.0.5.e.a.5.3.8.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.Q.q.5.4.z.u.R.E.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.i.l.a.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.0.-.0.0.0.1.-.0.0.1.9.-.6.9.b.0.-.0.f.2.0.b.d.c.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.c.1.b.e.e.9.7.6.6.0.4.c.6.f.e.9.0.9.5.d.c.0.e.8.7.f.3.b.5.2.0.0.0.0.0.0.9.0.4.!.0.0.0.0.6.a.4.b.8.2.2.4.7.8.f.c.7.e.e.8.7.c.e.9.f.5.d.7.c.4.c.3.8.e.c.a.7.1.c.8.1.7.4.b.!.5.Q.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER11AE.tmp.dmp

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:Mini DuMP crash report, 14 streams, Thu Sep 8 19:56:54 2022, 0x1205a4 type
                                                                Category:dropped
                                                                Size (bytes):34252
                                                                Entropy (8bit):1.755900132947184
                                                                Encrypted:false
                                                                SSDEEP:96:5q8m8M/XpajWKRjZFi7o5zhQNkIhfO3DisvJ5ckTb7JVE5hzG0st2zjWInWIXuIM:HyXpajvRZFOBhKJ5cqXrsh/Gl+9SzY
                                                                MD5:19444D4F2C19BF3F6C58D73B7D0F13B5
                                                                SHA1:1BBB4DD89629193CC5037AD26697AAA89619FC20
                                                                SHA-256:3510A1A18BB7D3F2D9B6767427FE6CA10A1A9905A8C9D566B25CB0EF7C9F35D8
                                                                SHA-512:847B2373E5B5A1D2039EF8EB62F7EDE36444B07098D15123D3329AA289649E4CF30664C237847BB83C220EF0E6BC9F9A15254F7B1E3721B7CD645361CAE13710
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:MDMP....... ........I.c....................................................T.......8...........T...........`...l{...........................................................................................U...........B......4.......GenuineIntelW...........T............H.c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1559.tmp.WERInternalMetadata.xml

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):8398
                                                                Entropy (8bit):3.7010976843031345
                                                                Encrypted:false
                                                                SSDEEP:192:Rrl7r3GLNiXe66Ep3t6YBSqSUogmfXSeCprg89bD6sfVBm:RrlsNiO6P3t6YBfSUogmfXSbDZfK
                                                                MD5:3101168337F63B2A9A472E5F5B75206F
                                                                SHA1:46520292F05B0E5F3104634BB27E32F4540FA462
                                                                SHA-256:85212B1ED536CA03B50F065373AFD20E4480115AAD041460FB22DD04B4A9AE97
                                                                SHA-512:681D93A83AC04D0482EEEBE58C652235CB2F29B1AD86AB0B5AD842804EE798A1F943E2D02224B5CEF3D86EF08337D8BE76D2E60A23FC64EC48B465DBD4C4B784
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.0.0.<./.P.i.d.>.......

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER16F0.tmp.xml

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):4775
                                                                Entropy (8bit):4.494300729913932
                                                                Encrypted:false
                                                                SSDEEP:48:cvIwSD8zsRJgtWI9pCOWgc8sqYjj8fm8M4J0PMFwOP+q8vPPDmbAO2nbnBrd:uITfjKCvgrsqY8JaMKnDmbAdnbnBrd
                                                                MD5:B121F29859D0A0829B1ED37BAF91C2CE
                                                                SHA1:DBC4E134F51DC83850834513E3ED73BCD6C4CD6A
                                                                SHA-256:9675B693788019BEFE64263728C0650AB51B957E45525E9F91E598CAE4560E57
                                                                SHA-512:4980857247BD0867830EC4BDB391E5A56C43FDA7A6CACE1B7C8947E7FCB0319BCD14CCBD4014B20278D0D227B8148601D7492BAA252B7CDD57D0DC53F9D949C1
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1683667" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):6.146529475476847
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:5Qq54zuREl.exe
                                                                File size:1067936
                                                                MD5:ef105c04e69b202408cae62ab05ed460
                                                                SHA1:6a4b822478fc7ee87ce9f5d7c4c38eca71c8174b
                                                                SHA256:6f03dfd71abd06402371157eac912ffeae7871a6d93b8d2dad3242ae59644fcf
                                                                SHA512:fe456bfda4a970157a24ac751f432dc132cf87c74548d02a1ab38b812a70049a739066719626ab54b834f8ed9b72a22bccd284cbc365356f5960c57d134f32c2
                                                                SSDEEP:24576:HjXF6TsrGZj7bU1vosbtXqf9O1iMb+g/9IJ:H56Fj7bU1vFMY7b+o9IJ
                                                                TLSH:0135AF1179D08133EDE320FB06EDB5A2022DE8B10B2149DF66D6D7EEB6B06C16E32557
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!...!...!...J...!...J..D!...J...!...[...!...[...!...J...!...!...!...[...!...[...!...[Z..!...[...!..Rich.!.................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4011ae
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x630A7006 [Sat Aug 27 19:27:02 2022 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:48c28d9f3783f0e32815b0b4c57a60a9

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                Error Number:-2146869232
                                                                Not Before, Not After
                                                                • 5/12/2022 1:47:06 PM 5/11/2023 1:47:06 PM
                                                                Subject Chain
                                                                • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                Version:3
                                                                Thumbprint MD5:EABC613BA6EE76D49AD6FB19EEE33C79
                                                                Thumbprint SHA-1:DE2396BCEB7E3CD13BF3D370424A560F97CABDE7
                                                                Thumbprint SHA-256:9406808DFFD22AF703070F39AEF66208D113859FA99ACC6217A8F879AA56E315
                                                                Serial:33000004916462F3B73EE20CCD000000000491

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp 00007F416CBCEC67h
                                                                jmp 00007F416CBE53B9h
                                                                jmp 00007F416CBD7158h
                                                                jmp 00007F416CBC1BC4h
                                                                jmp 00007F416CBB26B4h
                                                                jmp 00007F416CC27809h
                                                                jmp 00007F416CBC2327h
                                                                jmp 00007F416CBE575Eh
                                                                jmp 00007F416CC2E0DAh
                                                                jmp 00007F416CBADC56h
                                                                jmp 00007F416CBCFAA8h
                                                                jmp 00007F416CBDFBBFh
                                                                jmp 00007F416CBB7208h
                                                                jmp 00007F416CBE0B5Eh
                                                                jmp 00007F416CBAE917h
                                                                jmp 00007F416CBAD2B8h
                                                                jmp 00007F416CC1B370h
                                                                jmp 00007F416CB9725Dh
                                                                jmp 00007F416CBF3FB8h
                                                                jmp 00007F416CBBEA51h
                                                                jmp 00007F416CBE7BE1h
                                                                jmp 00007F416CBC9A71h
                                                                jmp 00007F416CBD7D35h
                                                                jmp 00007F416CB9824Fh
                                                                jmp 00007F416CC135F5h
                                                                jmp 00007F416CBEED8Eh
                                                                jmp 00007F416CC2AF9Dh
                                                                jmp 00007F416CBE5CA4h
                                                                jmp 00007F416CBB4E40h
                                                                jmp 00007F416CBD0171h
                                                                jmp 00007F416CBE0B1Fh
                                                                jmp 00007F416CC23F22h
                                                                jmp 00007F416CC10C17h
                                                                jmp 00007F416CC0C7A1h
                                                                jmp 00007F416CBB7829h
                                                                jmp 00007F416CBD7C4Ah
                                                                jmp 00007F416CBE728Ah
                                                                jmp 00007F416CBE7271h
                                                                jmp 00007F416CBCE0B7h
                                                                jmp 00007F416CBC7F97h

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xfd2180x3c.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xff0000x605.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x1026000x25a0.reloc
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000x69d4.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xce7600x38.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xce6780x40.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0xfd0000x218.idata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000xb0b2b0xb0c00False0.36263757514144274data5.8878105771850295IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0xb20000x254d50x25600False0.38322402801003347data4.193927675726189IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xd80000x248780x22e00False0.42548023073476704data6.188480329689431IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .idata0xfd0000xd140xe00False0.33816964285714285data4.526245588273773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .00cfg0xfe0000x10e0x200False0.03515625data0.11055713125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0xff0000x6050x800False0.3505859375data3.354229781377713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x1000000x79540x7a00False0.6572105532786885data6.288367235843316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xff0a00x3e8dataEnglishUnited States
                                                                RT_MANIFEST0xff4880x17dXML 1.0 document textEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                USER32.dllFindWindowW, FindWindowA, GetWindowDC, GetForegroundWindow
                                                                KERNEL32.dllFreeLibrary, CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, GetCurrentProcess, GetCurrentProcessId, GetSystemInfo, VirtualAlloc, SetConsoleTitleA, FormatMessageA, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LocalFree, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetLocaleInfoEx, GetStringTypeW, CompareStringEx, GetCPInfo, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, TerminateProcess, SetEnvironmentVariableW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, WriteConsoleW, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapFree, HeapAlloc, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, SetConsoleCtrlHandler, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 8, 2022 12:57:07.041313887 CEST4972016525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:57:10.128945112 CEST4972016525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:57:16.129426956 CEST4972016525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:57:33.363629103 CEST4973016525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:57:36.365859032 CEST4973016525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:57:42.366039991 CEST4973016525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:57:59.528136015 CEST4973516525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:58:02.524059057 CEST4973516525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:58:08.526027918 CEST4973516525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:58:25.623176098 CEST4976716525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:58:28.620021105 CEST4976716525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:58:34.620516062 CEST4976716525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:58:51.656548023 CEST4976816525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:58:54.667417049 CEST4976816525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:59:00.668015957 CEST4976816525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:59:17.690103054 CEST4976916525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:59:20.685395002 CEST4976916525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:59:26.685959101 CEST4976916525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:59:43.706617117 CEST4977016525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:59:46.718945026 CEST4977016525192.168.2.5195.54.170.157
                                                                Sep 8, 2022 12:59:52.781886101 CEST4977016525192.168.2.5195.54.170.157

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:12:56:46
                                                                Start date:08/09/2022
                                                                Path:C:\Users\user\Desktop\5Qq54zuREl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\5Qq54zuREl.exe"
                                                                Imagebase:0x1080000
                                                                File size:1067936 bytes
                                                                MD5 hash:EF105C04E69B202408CAE62AB05ED460
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000000.317838453.0000000001158000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.316874184.0000000001158000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000000.316874184.0000000001158000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000003.311786578.0000000002732000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:low

                                                                General

                                                                Target ID:1
                                                                Start time:12:56:47
                                                                Start date:08/09/2022
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                Imagebase:0xba0000
                                                                File size:98912 bytes
                                                                MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000001.00000000.311760106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:high

                                                                General

                                                                Target ID:5
                                                                Start time:12:56:52
                                                                Start date:08/09/2022
                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 252
                                                                Imagebase:0xf40000
                                                                File size:434592 bytes
                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:0.3%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:100%
                                                                  Total number of Nodes:3
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 5963 10921e0 5964 1092204 5963->5964 5965 109221d VirtualAlloc 5964->5965

                                                                  Executed Functions

                                                                  Function 010921E0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 10921e0-109226c call 1084642 * 2 VirtualAlloc
                                                                  C-Code - Quality: 37%
                                                                  			E010921E0() {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				void* _t11;
				void* _t15;
				intOrPtr _t19;

				_v8 = _t19;
				_push(0xf);
				L01084642("true", 0x1ac00, 0x1158000);
				_push(0xf);
				L01084642(0x1172c10, 0x77e, 0x1158000);
				_v16 = 0;
				_t11 = VirtualAlloc(0, 0x77e, 0x3000, 0x40); // executed
				_v12 = _t11;
				memcpy(_v12, 0x1172c10, 0x1df << 2);
				asm("movsw");
				_push(L"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe");
				_pop(_t30);
				_t15 = 0x1158010;
				_push(_t15);
				_push(0);
				_push(_v12 + 0x181);
				_push(0);
				goto __eax;
			}









                                                                  0x010921e8
                                                                  0x010921eb
                                                                  0x010921ff
                                                                  0x01092204
                                                                  0x01092218
                                                                  0x0109221d
                                                                  0x01092232
                                                                  0x01092238
                                                                  0x01092248
                                                                  0x0109224a
                                                                  0x01092259
                                                                  0x0109225a
                                                                  0x0109225b
                                                                  0x0109225c
                                                                  0x0109225d
                                                                  0x01092269
                                                                  0x0109226c
                                                                  0x0109226e

                                                                  APIs
                                                                  • VirtualAlloc.KERNELBASE(00000000,0000077E,00003000,00000040,01172C10,0000077E,01158000,0000000F,?,0001AC00,01158000,0000000F), ref: 01092232
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.333726693.000000000108F000.00000020.00000001.01000000.00000003.sdmp, Offset: 01080000, based on PE: true
                                                                  • Associated: 00000000.00000002.333671113.0000000001080000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333690539.0000000001081000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333714855.000000000108B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333793281.00000000010A4000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333854484.000000000112B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333861523.0000000001133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333910499.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333917208.000000000117D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333922268.000000000117F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1080000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                  • API String ID: 4275171209-448403072
                                                                  • Opcode ID: f48b0625b5c0967cb64dfb7e7c4e4ec1e32416520328dbde0f2345abc81e748e
                                                                  • Instruction ID: 2441a93fa66ada2164623e4527b34714417cd410a2d7e06720e176814f863dba
                                                                  • Opcode Fuzzy Hash: f48b0625b5c0967cb64dfb7e7c4e4ec1e32416520328dbde0f2345abc81e748e
                                                                  • Instruction Fuzzy Hash: 1F016270F84208FBE72496968D17FAB7A79EB04B54F204064BA04FB3C0C6F02D419794
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 010C912A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 85%
                                                                  			E010C912A(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				L01084B15(_t34);
				 *_t60 = 0x2cc;
				_v632 = L01082F04(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				L01082F04(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return L01084B15(_t49);
				}
				return _t49;
			}


































                                                                  0x010c912a
                                                                  0x010c912a
                                                                  0x010c912a
                                                                  0x010c913e
                                                                  0x010c9140
                                                                  0x010c9143
                                                                  0x010c9143
                                                                  0x010c9147
                                                                  0x010c914c
                                                                  0x010c9164
                                                                  0x010c916a
                                                                  0x010c9170
                                                                  0x010c9176
                                                                  0x010c917c
                                                                  0x010c9182
                                                                  0x010c9188
                                                                  0x010c918f
                                                                  0x010c9196
                                                                  0x010c919d
                                                                  0x010c91a4
                                                                  0x010c91ab
                                                                  0x010c91b2
                                                                  0x010c91b3
                                                                  0x010c91bc
                                                                  0x010c91c2
                                                                  0x010c91c5
                                                                  0x010c91cb
                                                                  0x010c91da
                                                                  0x010c91e6
                                                                  0x010c91f1
                                                                  0x010c91f8
                                                                  0x010c91ff
                                                                  0x010c920a
                                                                  0x010c9212
                                                                  0x010c921b
                                                                  0x010c921d
                                                                  0x010c9220
                                                                  0x010c9222
                                                                  0x010c922c
                                                                  0x010c9234
                                                                  0x010c923a
                                                                  0x00000000
                                                                  0x010c9241
                                                                  0x010c9244

                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 010C9136
                                                                  • IsDebuggerPresent.KERNEL32 ref: 010C9202
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 010C9222
                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 010C922C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.333793281.00000000010A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 01080000, based on PE: true
                                                                  • Associated: 00000000.00000002.333671113.0000000001080000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333690539.0000000001081000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333714855.000000000108B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333726693.000000000108F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333854484.000000000112B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333861523.0000000001133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333910499.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333917208.000000000117D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333922268.000000000117F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1080000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                  • String ID:
                                                                  • API String ID: 254469556-0
                                                                  • Opcode ID: 51f44fe9e8ee0e7d2345b0c9d986b09225926d566c3d8ef91ea985cd015430ca
                                                                  • Instruction ID: d00e36bb7aac35063e96a735357e71ee1dc63f7a239b6626dd9173572322dc5a
                                                                  • Opcode Fuzzy Hash: 51f44fe9e8ee0e7d2345b0c9d986b09225926d566c3d8ef91ea985cd015430ca
                                                                  • Instruction Fuzzy Hash: 04310BB5D0521D9BDF21DFA4D9897CCBBB8AF08304F1041A9E54DAB240EB719A85CF04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 010C98BB Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 88%
                                                                  			E010C98BB(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x117b504 =  *0x117b504 & 0x00000000;
				 *0x1178b90 =  *0x1178b90 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0x117b508; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x117b508 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x1178b90; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x117b504 = 1;
					 *0x1178b90 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x117b504 = 2;
						 *0x1178b90 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x1178b90; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x117b504 = 3;
								 *0x1178b90 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x117b504 = 5;
									 *0x1178b90 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x1178b90 =  *0x1178b90 | 0x00000040;
										 *0x117b504 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x117b508; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x117b508 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}






























                                                                  0x010c98bb
                                                                  0x010c98be
                                                                  0x010c98c8
                                                                  0x010c98d9
                                                                  0x010c9a8b
                                                                  0x010c9a8e
                                                                  0x010c9a8e
                                                                  0x010c98df
                                                                  0x010c98e5
                                                                  0x010c98ea
                                                                  0x010c98ee
                                                                  0x010c98f2
                                                                  0x010c98f4
                                                                  0x010c98f6
                                                                  0x010c98f9
                                                                  0x010c98fe
                                                                  0x010c9907
                                                                  0x010c9918
                                                                  0x010c9923
                                                                  0x010c9929
                                                                  0x010c992a
                                                                  0x010c9930
                                                                  0x010c9933
                                                                  0x010c993d
                                                                  0x010c9940
                                                                  0x010c9943
                                                                  0x010c9946
                                                                  0x010c998b
                                                                  0x010c998b
                                                                  0x010c9991
                                                                  0x010c9991
                                                                  0x010c9996
                                                                  0x010c9997
                                                                  0x010c999d
                                                                  0x010c99cf
                                                                  0x010c999f
                                                                  0x010c99a1
                                                                  0x010c99a2
                                                                  0x010c99a8
                                                                  0x010c99ab
                                                                  0x010c99ad
                                                                  0x010c99b0
                                                                  0x010c99b3
                                                                  0x010c99b6
                                                                  0x010c99b9
                                                                  0x010c99c2
                                                                  0x010c99c7
                                                                  0x010c99c7
                                                                  0x010c99c2
                                                                  0x010c99d2
                                                                  0x010c99d7
                                                                  0x010c99da
                                                                  0x010c99e4
                                                                  0x010c99ef
                                                                  0x010c99f5
                                                                  0x010c99f8
                                                                  0x010c9a02
                                                                  0x010c9a0d
                                                                  0x010c9a19
                                                                  0x010c9a1c
                                                                  0x010c9a1f
                                                                  0x010c9a2a
                                                                  0x010c9a2f
                                                                  0x010c9a31
                                                                  0x010c9a36
                                                                  0x010c9a39
                                                                  0x010c9a43
                                                                  0x010c9a4b
                                                                  0x010c9a50
                                                                  0x010c9a5a
                                                                  0x010c9a68
                                                                  0x010c9a7b
                                                                  0x010c9a82
                                                                  0x010c9a82
                                                                  0x010c9a68
                                                                  0x010c9a4b
                                                                  0x010c9a2f
                                                                  0x010c9a0d
                                                                  0x00000000
                                                                  0x010c9a8a
                                                                  0x010c994b
                                                                  0x010c9955
                                                                  0x010c997a
                                                                  0x010c9980
                                                                  0x010c9983
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 010C98D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.333793281.00000000010A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 01080000, based on PE: true
                                                                  • Associated: 00000000.00000002.333671113.0000000001080000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333690539.0000000001081000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333714855.000000000108B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333726693.000000000108F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333854484.000000000112B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333861523.0000000001133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333910499.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333917208.000000000117D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333922268.000000000117F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1080000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FeaturePresentProcessor
                                                                  • String ID:
                                                                  • API String ID: 2325560087-0
                                                                  • Opcode ID: 00a78a2867684f9fa776a56301b5abba7c152884c82898f91b876781a4f25693
                                                                  • Instruction ID: 421f25b82b1b3123df7e1d45b8e5ab4e54aafe68f9d7a03ed73e625c148f64d1
                                                                  • Opcode Fuzzy Hash: 00a78a2867684f9fa776a56301b5abba7c152884c82898f91b876781a4f25693
                                                                  • Instruction Fuzzy Hash: 5C5169B1A152068FEB29CF6CD4857AEBBF0FB44714F1484AAC555EB384D7749980CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 010C7899 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002), ref: 010C78B1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.333793281.00000000010A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 01080000, based on PE: true
                                                                  • Associated: 00000000.00000002.333671113.0000000001080000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333690539.0000000001081000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333714855.000000000108B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333726693.000000000108F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333854484.000000000112B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333861523.0000000001133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333910499.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333917208.000000000117D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333922268.000000000117F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1080000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 99f6f2317e670ae1301d531b969109eaa5d7934716c68ba23965fa8e5787076f
                                                                  • Instruction ID: aa90b568f801a036940fb656bfef1c8dcd7c4fa6f824405c1e5f5844e3788e54
                                                                  • Opcode Fuzzy Hash: 99f6f2317e670ae1301d531b969109eaa5d7934716c68ba23965fa8e5787076f
                                                                  • Instruction Fuzzy Hash: 96E09B3219010566E7665B7C590FFAF3AD8EB01B06F104195A342D40D1C690C604DA51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 010C7F70 Relevance: 9.2, APIs: 6, Instructions: 224COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 160 10c7f70-10c7f9a 161 10c7fac-10c7faf 160->161 162 10c7f9c-10c7faa call 108265d 160->162 164 10c7fb5-10c7fba 161->164 165 10c81c2 161->165 162->164 167 10c7fbc-10c7fc7 call 108265d 164->167 168 10c7fc9-10c7fcc 164->168 169 10c81c4-10c81d5 call 1082e46 165->169 171 10c7fd2-10c7fd4 167->171 168->165 168->171 174 10c7fde-10c7fe0 171->174 175 10c7fd6-10c7fd8 171->175 178 10c81bb 174->178 179 10c7fe6-10c7fe9 174->179 175->174 177 10c807c-10c8094 MultiByteToWideChar 175->177 177->165 180 10c809a-10c80a6 177->180 178->165 181 10c7fef-10c7ff2 179->181 182 10c8074-10c8077 179->182 185 10c81ac 180->185 186 10c80ac-10c80b1 180->186 183 10c8039-10c803c 181->183 184 10c7ff4-10c8003 GetCPInfo 181->184 182->169 183->169 184->165 187 10c8009-10c800b 184->187 188 10c81af-10c81b9 call 10834f9 185->188 189 10c80c9-10c80d5 call 108154b 186->189 190 10c80b3-10c80bf call 108322e 186->190 191 10c800d-10c8011 187->191 192 10c8041-10c8043 187->192 188->169 203 10c80e3-10c80e8 189->203 205 10c80d7 189->205 202 10c80c1-10c80c7 190->202 190->203 191->183 196 10c8013-10c801a 191->196 192->177 199 10c8045-10c8049 192->199 196->183 201 10c801c-10c8021 196->201 199->182 204 10c804b-10c8052 199->204 201->183 206 10c8023-10c8027 201->206 207 10c80dd-10c80e0 202->207 203->188 209 10c80ee-10c8103 MultiByteToWideChar 203->209 204->182 208 10c8054 204->208 205->207 211 10c8029-10c802b 206->211 212 10c8031-10c8037 206->212 207->203 213 10c8057-10c805c 208->213 209->188 210 10c8109-10c8120 MultiByteToWideChar 209->210 210->188 214 10c8126-10c8132 210->214 211->178 211->212 212->183 212->201 213->182 215 10c805e-10c8062 213->215 216 10c819f 214->216 217 10c8134-10c8139 214->217 218 10c806c-10c8072 215->218 219 10c8064-10c8066 215->219 220 10c81a2-10c81aa call 10834f9 216->220 221 10c814e-10c8159 call 108154b 217->221 222 10c813b-10c8144 call 108322e 217->222 218->182 218->213 219->178 219->218 220->188 229 10c8164-10c8169 221->229 231 10c815b 221->231 222->229 230 10c8146-10c814c 222->230 229->220 233 10c816b-10c8180 MultiByteToWideChar 229->233 232 10c8161 230->232 231->232 232->229 233->220 234 10c8182-10c819d CompareStringEx 233->234 234->220
                                                                  C-Code - Quality: 72%
                                                                  			E010C7F70(intOrPtr _a4, intOrPtr _a8, short* _a12, short* _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				int _v32;
				char* _v36;
				short* _v40;
				int _v44;
				short* _v48;
				short* _v52;
				intOrPtr _v56;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				short* _t58;
				signed int _t63;
				signed int _t64;
				short* _t66;
				signed int _t68;
				signed int _t69;
				short* _t72;
				char* _t75;
				char* _t76;
				int _t79;
				intOrPtr _t88;
				intOrPtr _t89;
				short* _t96;
				signed int _t97;
				short* _t98;

				_t54 =  *0x1178b64; // 0x3b364fa5
				_v8 = _t54 ^ _t97;
				_t96 = _a12;
				_t95 = _a16;
				_v56 = _a4;
				_t57 = _a20;
				_v32 = _t96;
				_v36 = _a20;
				if(_t95 <= 0) {
					if(_t95 < 0xffffffff) {
						goto L56;
					}
					goto L3;
				} else {
					_t95 = L0108265D(_t96, _t95);
					_t57 = _v36;
					L3:
					_t79 = _a24;
					if(_t79 <= 0) {
						if(_t79 < 0xffffffff) {
							L56:
							_t58 = 0;
							L57:
							return L01082E46(_t58, _t79, _v8 ^ _t97, _t94, _t95, _t96);
						}
						L6:
						if(_t95 == 0 || _t79 == 0) {
							if(_t95 == _t79) {
								L55:
								_push(2);
								L20:
								_pop(_t58);
								goto L57;
							}
							if(_t79 > 1) {
								L29:
								_t58 = 1;
								goto L57;
							}
							if(_t95 > 1) {
								L19:
								_push(3);
								goto L20;
							}
							if(GetCPInfo(_a28,  &_v28) == 0) {
								goto L56;
							}
							if(_t95 <= 0) {
								if(_t79 <= 0) {
									goto L30;
								}
								if(_v28 < 2) {
									goto L29;
								}
								_t75 =  &_v22;
								if(_v22 == 0) {
									goto L29;
								}
								_t95 = _v36;
								while(1) {
									_t88 =  *((intOrPtr*)(_t75 + 1));
									if(_t88 == 0) {
										goto L29;
									}
									_t94 =  *_t95;
									if(_t94 <  *_t75 || _t94 > _t88) {
										_t75 = _t75 + 2;
										if( *_t75 != 0) {
											continue;
										}
										goto L29;
									} else {
										goto L55;
									}
								}
								goto L29;
							}
							if(_v28 < 2) {
								goto L19;
							}
							_t76 =  &_v22;
							if(_v22 == 0) {
								goto L19;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t89 =  *((intOrPtr*)(_t76 + 1));
								if(_t89 == 0) {
									goto L19;
								}
								_t94 =  *_t96;
								if(_t94 <  *_t76 || _t94 > _t89) {
									_t76 = _t76 + 2;
									if( *_t76 != 0) {
										continue;
									}
									goto L19;
								} else {
									goto L55;
								}
							}
							goto L19;
						} else {
							L30:
							_t96 = 0;
							_t63 = MultiByteToWideChar(_a28, 9, _v32, _t95, 0, 0);
							_v44 = _t63;
							if(_t63 == 0) {
								goto L56;
							}
							_t94 = _t63 + _t63 + 8;
							asm("sbb eax, eax");
							_t64 = _t63 & _t63 + _t63 + 0x00000008;
							if(_t64 == 0) {
								_v52 = 0;
								L54:
								L010834F9( &_v52);
								_t58 = _t96;
								goto L57;
							}
							if(_t64 > 0x400) {
								_push(_t64);
								_t66 = L0108154B();
								_v40 = _t66;
								if(_t66 == 0) {
									L38:
									_v52 = _t66;
									if(_t66 == 0 || MultiByteToWideChar(_a28, 1, _v32, _t95, _t66, _v44) == 0) {
										goto L54;
									} else {
										_t95 = _v36;
										_t68 = MultiByteToWideChar(_a28, 9, _v36, _t79, _t96, _t96);
										_v32 = _t68;
										if(_t68 == 0) {
											goto L54;
										}
										_t94 = _t68 + _t68 + 8;
										asm("sbb eax, eax");
										_t69 = _t68 & _t68 + _t68 + 0x00000008;
										if(_t69 == 0) {
											_v48 = _t96;
											L52:
											L010834F9( &_v48);
											goto L54;
										}
										if(_t69 > 0x400) {
											_push(_t69);
											_t95 = L0108154B();
											if(_t95 == 0) {
												L48:
												_v48 = _t95;
												if(_t95 != 0) {
													_t72 = MultiByteToWideChar(_a28, 1, _v36, _t79, _t95, _v32);
													if(_t72 != 0) {
														__imp__CompareStringEx(_v56, _a8, _v40, _v44, _t95, _v32, _t96, _t96, _t96);
														_t96 = _t72;
													}
												}
												goto L52;
											}
											 *_t95 = 0xdddd;
											L47:
											_t95 =  &(_t95[4]);
											goto L48;
										}
										L0108322E(_t69);
										_t95 = _t98;
										if(_t95 == 0) {
											goto L48;
										}
										 *_t95 = 0xcccc;
										goto L47;
									}
								}
								 *_t66 = 0xdddd;
								L37:
								_t66 =  &(_t66[4]);
								_v40 = _t66;
								goto L38;
							}
							L0108322E(_t64);
							_t66 = _t98;
							_v40 = _t66;
							if(_t66 == 0) {
								goto L38;
							}
							 *_t66 = 0xcccc;
							goto L37;
						}
					}
					_t79 = L0108265D(_t57, _t79);
					goto L6;
				}
			}

































                                                                  0x010c7f76
                                                                  0x010c7f7d
                                                                  0x010c7f85
                                                                  0x010c7f89
                                                                  0x010c7f8c
                                                                  0x010c7f8f
                                                                  0x010c7f92
                                                                  0x010c7f95
                                                                  0x010c7f9a
                                                                  0x010c7faf
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c7f9c
                                                                  0x010c7fa4
                                                                  0x010c7fa6
                                                                  0x010c7fb5
                                                                  0x010c7fb5
                                                                  0x010c7fba
                                                                  0x010c7fcc
                                                                  0x010c81c2
                                                                  0x010c81c2
                                                                  0x010c81c4
                                                                  0x010c81d5
                                                                  0x010c81d5
                                                                  0x010c7fd2
                                                                  0x010c7fd4
                                                                  0x010c7fe0
                                                                  0x010c81bb
                                                                  0x010c81bb
                                                                  0x010c803b
                                                                  0x010c803b
                                                                  0x00000000
                                                                  0x010c803b
                                                                  0x010c7fe9
                                                                  0x010c8074
                                                                  0x010c8076
                                                                  0x00000000
                                                                  0x010c8076
                                                                  0x010c7ff2
                                                                  0x010c8039
                                                                  0x010c8039
                                                                  0x00000000
                                                                  0x010c8039
                                                                  0x010c8003
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c800b
                                                                  0x010c8043
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c8049
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c804f
                                                                  0x010c8052
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c8054
                                                                  0x010c8057
                                                                  0x010c8057
                                                                  0x010c805c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c805e
                                                                  0x010c8062
                                                                  0x010c806c
                                                                  0x010c8072
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c8062
                                                                  0x00000000
                                                                  0x010c8057
                                                                  0x010c8011
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c8017
                                                                  0x010c801a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c801c
                                                                  0x010c801c
                                                                  0x010c801c
                                                                  0x010c8021
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c8023
                                                                  0x010c8027
                                                                  0x010c8031
                                                                  0x010c8037
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c8027
                                                                  0x00000000
                                                                  0x010c807c
                                                                  0x010c807c
                                                                  0x010c807c
                                                                  0x010c8089
                                                                  0x010c808f
                                                                  0x010c8094
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c809d
                                                                  0x010c80a2
                                                                  0x010c80a4
                                                                  0x010c80a6
                                                                  0x010c81ac
                                                                  0x010c81af
                                                                  0x010c81b2
                                                                  0x010c81b7
                                                                  0x00000000
                                                                  0x010c81b7
                                                                  0x010c80b1
                                                                  0x010c80c9
                                                                  0x010c80ca
                                                                  0x010c80cf
                                                                  0x010c80d5
                                                                  0x010c80e3
                                                                  0x010c80e3
                                                                  0x010c80e8
                                                                  0x00000000
                                                                  0x010c8109
                                                                  0x010c8109
                                                                  0x010c8115
                                                                  0x010c811b
                                                                  0x010c8120
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c8129
                                                                  0x010c812e
                                                                  0x010c8130
                                                                  0x010c8132
                                                                  0x010c819f
                                                                  0x010c81a2
                                                                  0x010c81a5
                                                                  0x00000000
                                                                  0x010c81a5
                                                                  0x010c8139
                                                                  0x010c814e
                                                                  0x010c8154
                                                                  0x010c8159
                                                                  0x010c8164
                                                                  0x010c8164
                                                                  0x010c8169
                                                                  0x010c8178
                                                                  0x010c8180
                                                                  0x010c8195
                                                                  0x010c819b
                                                                  0x010c819b
                                                                  0x010c8180
                                                                  0x00000000
                                                                  0x010c8169
                                                                  0x010c815b
                                                                  0x010c8161
                                                                  0x010c8161
                                                                  0x00000000
                                                                  0x010c8161
                                                                  0x010c813b
                                                                  0x010c8140
                                                                  0x010c8144
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c8146
                                                                  0x00000000
                                                                  0x010c8146
                                                                  0x010c80e8
                                                                  0x010c80d7
                                                                  0x010c80dd
                                                                  0x010c80dd
                                                                  0x010c80e0
                                                                  0x00000000
                                                                  0x010c80e0
                                                                  0x010c80b3
                                                                  0x010c80b8
                                                                  0x010c80ba
                                                                  0x010c80bf
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x010c80c1
                                                                  0x00000000
                                                                  0x010c80c1
                                                                  0x010c7fd4
                                                                  0x010c7fc5
                                                                  0x00000000
                                                                  0x010c7fc5

                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(?,?), ref: 010C7FFB
                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 010C8089
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 010C80FB
                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 010C8115
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 010C8178
                                                                  • CompareStringEx.KERNEL32 ref: 010C8195
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.333793281.00000000010A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 01080000, based on PE: true
                                                                  • Associated: 00000000.00000002.333671113.0000000001080000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333690539.0000000001081000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333714855.000000000108B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333726693.000000000108F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333854484.000000000112B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333861523.0000000001133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333910499.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333917208.000000000117D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333922268.000000000117F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1080000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$CompareInfoString
                                                                  • String ID:
                                                                  • API String ID: 2984826149-0
                                                                  • Opcode ID: 2824984c459bb11bc565aa126fd4ac2929ddb1c6719129402d2aed2e0d402046
                                                                  • Instruction ID: bb7d7bd18cce09a26eebc3b905b015766742dbde05a781687e3bf67b1213fd70
                                                                  • Opcode Fuzzy Hash: 2824984c459bb11bc565aa126fd4ac2929ddb1c6719129402d2aed2e0d402046
                                                                  • Instruction Fuzzy Hash: 4771B57190024AAFEF619F99CC40AEF7FFAAF85A50F28805EE984A7150D735C841CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 010AC6D7 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 235 10ac6d7-10ac6ef 236 10ac6f1-10ac701 call 108265d 235->236 237 10ac705-10ac72d MultiByteToWideChar 235->237 236->237 245 10ac703 236->245 239 10ac733-10ac73f 237->239 240 10ac891-10ac8a2 call 1082e46 237->240 243 10ac881 239->243 244 10ac745-10ac74a 239->244 249 10ac885 243->249 247 10ac75f-10ac76a call 108154b 244->247 248 10ac74c-10ac755 call 108322e 244->248 245->237 258 10ac775-10ac77a 247->258 259 10ac76c 247->259 257 10ac757-10ac75d 248->257 248->258 252 10ac887-10ac88f call 10834f9 249->252 252->240 261 10ac772 257->261 258->249 260 10ac780-10ac793 MultiByteToWideChar 258->260 259->261 260->249 262 10ac799-10ac7b2 LCMapStringEx 260->262 261->258 262->249 263 10ac7b8-10ac7c0 262->263 264 10ac7f2-10ac7fe 263->264 265 10ac7c2-10ac7c7 263->265 267 10ac873 264->267 268 10ac800-10ac802 264->268 265->252 266 10ac7cd-10ac7cf 265->266 266->252 269 10ac7d5-10ac7ed LCMapStringEx 266->269 270 10ac877-10ac87f call 10834f9 267->270 271 10ac817-10ac822 call 108154b 268->271 272 10ac804-10ac80d call 108322e 268->272 269->252 270->252 279 10ac82d-10ac832 271->279 280 10ac824 271->280 272->279 281 10ac80f-10ac815 272->281 279->270 283 10ac834-10ac84e LCMapStringEx 279->283 282 10ac82a 280->282 281->282 282->279 283->270 284 10ac850-10ac857 283->284 285 10ac859-10ac85b 284->285 286 10ac85d-10ac860 284->286 287 10ac863-10ac871 WideCharToMultiByte 285->287 286->287 287->270
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 010AC720
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 010AC78B
                                                                  • LCMapStringEx.KERNEL32 ref: 010AC7A8
                                                                  • LCMapStringEx.KERNEL32 ref: 010AC7E7
                                                                  • LCMapStringEx.KERNEL32 ref: 010AC846
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 010AC869
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.333793281.00000000010A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 01080000, based on PE: true
                                                                  • Associated: 00000000.00000002.333671113.0000000001080000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333690539.0000000001081000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333714855.000000000108B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333726693.000000000108F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333854484.000000000112B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333861523.0000000001133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333910499.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333917208.000000000117D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333922268.000000000117F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1080000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringWide
                                                                  • String ID:
                                                                  • API String ID: 2829165498-0
                                                                  • Opcode ID: ef56482a76bba922a4a4bf1fe2724b99d467b0c4530f2a908118b3343fc07a2b
                                                                  • Instruction ID: 3218a2bb94a5a7850542e354af0b2e38991146466171a5027356ff68e06944e8
                                                                  • Opcode Fuzzy Hash: ef56482a76bba922a4a4bf1fe2724b99d467b0c4530f2a908118b3343fc07a2b
                                                                  • Instruction Fuzzy Hash: 3E51AE7250020AABFF215FE8DD44FAE7FB9FF446A0F964065FA95A6150EB30C851CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 010CF0A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 288 10cf0a0-10cf0f1 call 1085de4 call 10cf060 call 1082617 295 10cf14d-10cf150 288->295 296 10cf0f3-10cf105 288->296 298 10cf170-10cf179 295->298 299 10cf152-10cf15f call 1082e91 295->299 297 10cf107-10cf11e 296->297 296->298 301 10cf134 297->301 302 10cf120-10cf12e call 1085731 297->302 303 10cf164-10cf16d call 10cf060 299->303 305 10cf137-10cf13c 301->305 310 10cf144-10cf14b 302->310 311 10cf130 302->311 303->298 305->297 308 10cf13e-10cf140 305->308 308->298 312 10cf142 308->312 310->303 313 10cf17a-10cf183 311->313 314 10cf132 311->314 312->303 315 10cf1bd-10cf1cd call 108544d 313->315 316 10cf185-10cf18c 313->316 314->305 321 10cf1cf-10cf1de call 1082e91 315->321 322 10cf1e1-10cf25c call 10cf060 call 10845c5 call 1081ca3 315->322 316->315 318 10cf18e-10cf19d call 108205e 316->318 326 10cf19f-10cf1b7 318->326 327 10cf1ba 318->327 321->322 336 10cf25e-10cf260 322->336 337 10cf261-10cf268 call 10841a6 322->337 326->327 327->315 340 10cf26a-10cf26f call 1084b10 337->340 341 10cf271-10cf273 337->341 340->336
                                                                  APIs
                                                                  • _ValidateLocalCookies.LIBCMT ref: 010CF0D7
                                                                  • _ValidateLocalCookies.LIBCMT ref: 010CF168
                                                                  • _ValidateLocalCookies.LIBCMT ref: 010CF1E8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.333793281.00000000010A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 01080000, based on PE: true
                                                                  • Associated: 00000000.00000002.333671113.0000000001080000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333690539.0000000001081000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333714855.000000000108B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333726693.000000000108F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333854484.000000000112B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333861523.0000000001133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333886087.0000000001158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333910499.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333917208.000000000117D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.333922268.000000000117F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1080000_5Qq54zuREl.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CookiesLocalValidate
                                                                  • String ID: csm
                                                                  • API String ID: 2268201637-1018135373
                                                                  • Opcode ID: d1dc9fc42dd84f407e44eca7202496db41d71289c3b1f1e8e2b7eace7385d22e
                                                                  • Instruction ID: e260b84a6486914399dd611b4eead30566bf0fbc0ed822ace0aa3ac35d358343
                                                                  • Opcode Fuzzy Hash: d1dc9fc42dd84f407e44eca7202496db41d71289c3b1f1e8e2b7eace7385d22e
                                                                  • Instruction Fuzzy Hash: 3841A334A0021A9FCF10EF68C884ADE7FF2AF86B14F148199EC949B355D7319956CF92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Executed Functions

                                                                  Function 051FEF08 Relevance: 4.1, Strings: 3, Instructions: 376COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ,u-$,u-$ Bk
                                                                  • API String ID: 0-4267386581
                                                                  • Opcode ID: 1cfe2cf43e33ad8bf805e6dfc73fc66eacdad659baa95c17fe9522f3fc34fd48
                                                                  • Instruction ID: 852399a454bf36c7d5020665421936e96eb6c26d1f5c5eef1a0c0fdc6fa5995c
                                                                  • Opcode Fuzzy Hash: 1cfe2cf43e33ad8bf805e6dfc73fc66eacdad659baa95c17fe9522f3fc34fd48
                                                                  • Instruction Fuzzy Hash: E7D1E134B002548FCB54DBB8D5A8AAE7BF7AF89200F1484A9D506DB3A5DF34DC06CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FE678 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: l3-$ Bk
                                                                  • API String ID: 0-1601281050
                                                                  • Opcode ID: ab7ab55a205f93d8a9e8e526c43fb47a0d5bfa7cd2d7bdda7b665c2c8922519e
                                                                  • Instruction ID: 9177013adf1844d392ce66ed6a3731a9f22efc81eec3b48514c29ca6db0338ba
                                                                  • Opcode Fuzzy Hash: ab7ab55a205f93d8a9e8e526c43fb47a0d5bfa7cd2d7bdda7b665c2c8922519e
                                                                  • Instruction Fuzzy Hash: 5DE16E34A01205DFCB54DFA4E598A9EBBB2FF88314F148968E5169B7A0DB30EC45CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FE640 Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: l3-$ Bk
                                                                  • API String ID: 0-1601281050
                                                                  • Opcode ID: 1899efbc7cf9d6f2b44b38f17ba39f5dc37d68d9fb7a9a49046c6d0541546df9
                                                                  • Instruction ID: d8ede5bd22de5b88f4f2b6fea7426c699afc968901cc3d9f1e2385c77effbd07
                                                                  • Opcode Fuzzy Hash: 1899efbc7cf9d6f2b44b38f17ba39f5dc37d68d9fb7a9a49046c6d0541546df9
                                                                  • Instruction Fuzzy Hash: 49916074A01205DFCB54DF68D59899DBBB2FF88314F148969E806AB3A1DB30EC46CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FD720 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ,u-$ Bk
                                                                  • API String ID: 0-446558738
                                                                  • Opcode ID: c8d3b71308e4b3217304daa0b971c0b232dd7c54c5aeb6a28f6600ca82a98f77
                                                                  • Instruction ID: 523a3ee7e333b8ec3dee072c075842101f37ccbd97d24278f76e673a97a408ae
                                                                  • Opcode Fuzzy Hash: c8d3b71308e4b3217304daa0b971c0b232dd7c54c5aeb6a28f6600ca82a98f77
                                                                  • Instruction Fuzzy Hash: D0715D75E002098FDB18DFA8E4546AEBBF3BF89304F208529D906EB355DB749C46CB81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FCFF0 Relevance: 2.6, Strings: 2, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: |6-$|6-
                                                                  • API String ID: 0-1457625736
                                                                  • Opcode ID: a682a0ae959e4eb0defbb41886a9b0bd0a0a9e3f52fe2a971af3fc7f5f4c14bd
                                                                  • Instruction ID: b18b9612ca1aa9e9a9d074f678b7a0fad5646b26def29e6af834a4f348a16bb7
                                                                  • Opcode Fuzzy Hash: a682a0ae959e4eb0defbb41886a9b0bd0a0a9e3f52fe2a971af3fc7f5f4c14bd
                                                                  • Instruction Fuzzy Hash: 15015E317023409BCB14AA74F45862AB7A7FBC4219F54482DD54687755CBB1EC0ACB86
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F87B8 Relevance: 2.0, Instructions: 1973COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5805b30c9fc31fa9aa04c9e3b5639f905c3a4aac441e42654f9a9cca2b1de3af
                                                                  • Instruction ID: ceb721432ca94bf6f6f4d77be55eb91bef065a720de1828ef2cbb5a5edcb3a6b
                                                                  • Opcode Fuzzy Hash: 5805b30c9fc31fa9aa04c9e3b5639f905c3a4aac441e42654f9a9cca2b1de3af
                                                                  • Instruction Fuzzy Hash: 21130138901218EFDB155B70D6649D9B732FF4931AB2088ABDC1236B56DF3B9892DF01
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F2D60 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8c@g
                                                                  • API String ID: 0-2112209365
                                                                  • Opcode ID: be1c4c573e2ba3ecee856cdcf616b4385757c7f047febfb44775d5fc36b38a42
                                                                  • Instruction ID: 94a700f7c59a0364596c49d0daa10be340257e93851b7ba75323872c278fade6
                                                                  • Opcode Fuzzy Hash: be1c4c573e2ba3ecee856cdcf616b4385757c7f047febfb44775d5fc36b38a42
                                                                  • Instruction Fuzzy Hash: 52419032B205048BCB04FBB8E95846DBBB6EF89310F144A59E1625B3D8DF34AC598793
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F26B1 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (>*
                                                                  • API String ID: 0-2088821979
                                                                  • Opcode ID: e787a07ad35be64e4c4ca421676033c960572e9377628f0b3ba55659107bac79
                                                                  • Instruction ID: 246ddad189019eaf165413df78a8360226f81c23a760e125c13c8f3e291ad762
                                                                  • Opcode Fuzzy Hash: e787a07ad35be64e4c4ca421676033c960572e9377628f0b3ba55659107bac79
                                                                  • Instruction Fuzzy Hash: EA418E36B002109FCB08EF79E56D46EBBA6FBC9210714486DD90AD7349DF359C06CB95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F26C0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (>*
                                                                  • API String ID: 0-2088821979
                                                                  • Opcode ID: 64194417a8184a428417d2bdb1b2ece9be494b5fba2cc4081f72fbb4d8b73ce9
                                                                  • Instruction ID: dd1cdb910760b18c6ef0fe86356c8f47e45681d53d8e950aef5b9859b9a1acad
                                                                  • Opcode Fuzzy Hash: 64194417a8184a428417d2bdb1b2ece9be494b5fba2cc4081f72fbb4d8b73ce9
                                                                  • Instruction Fuzzy Hash: 8F319F36B002109FCB08AB79A46D56EBBE6FBCD210714486DD90AD7348DF359C06CB96
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F8688 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0*
                                                                  • API String ID: 0-2166141187
                                                                  • Opcode ID: 236e29d173500f9025483720c53b70a943814a83d753ad5f570ab21cc5929b0c
                                                                  • Instruction ID: 8015d5d6d582b3fcca0f2895197d50bedd3cd5b8b7589c252859b245f3b12ca0
                                                                  • Opcode Fuzzy Hash: 236e29d173500f9025483720c53b70a943814a83d753ad5f570ab21cc5929b0c
                                                                  • Instruction Fuzzy Hash: B731B631F0060ACBCB11AF79D4241AEB3B5FF85310F108629C555A7344EF38A981CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F4678 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8c@g
                                                                  • API String ID: 0-2112209365
                                                                  • Opcode ID: a22598fbecb9665ad60af3ab4c0ae17246adae8e1ca4dd18b03a89fa5e6b0a99
                                                                  • Instruction ID: 23e7a01b44d51a30a70b37c7b7ad35015816e6169b8e2bed3a0cb62cbcac5670
                                                                  • Opcode Fuzzy Hash: a22598fbecb9665ad60af3ab4c0ae17246adae8e1ca4dd18b03a89fa5e6b0a99
                                                                  • Instruction Fuzzy Hash: 9F0171312017048BD364AF69E52866A77E6EFC9315F108D28C18A47758DFB4AC0ACBD6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FD70F Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ,u-
                                                                  • API String ID: 0-3228338026
                                                                  • Opcode ID: c7f38f004e82cab15a5f818fa9b4a8d744e4c23a4af7007ad8d4936b17444e71
                                                                  • Instruction ID: e6cc5a2447a4869addef0344f06b51b2616120c1ad9e13bceb4a9156bbd966e0
                                                                  • Opcode Fuzzy Hash: c7f38f004e82cab15a5f818fa9b4a8d744e4c23a4af7007ad8d4936b17444e71
                                                                  • Instruction Fuzzy Hash: E8F0A971A00308DFCB199BA8E4045EDBBB5AF85311F21026AD90AEB724C7304A41CB81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FDA00 Relevance: .4, Instructions: 411COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce342f36a2d72372687fe2c6616eb0bd0e7490af307d16be38f3b091c812cbaa
                                                                  • Instruction ID: 6db2665d3e900cf52849f4bc59f41dcc60b671da3a2f4b794675f935a1f1572a
                                                                  • Opcode Fuzzy Hash: ce342f36a2d72372687fe2c6616eb0bd0e7490af307d16be38f3b091c812cbaa
                                                                  • Instruction Fuzzy Hash: 67F13074B001088FDB58DFA8D5A4AAEBBF2FF89304F108469D516EB3A5DB349C46CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FF368 Relevance: .4, Instructions: 406COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5f0a053d685de22d4189bb576e3d89c485d4a09b6b9bbb8e19317190e97ce408
                                                                  • Instruction ID: f8adcd4c045c8fd0714df31cb5d0e718f8ba3f68332dbbfe0bc43cea2ff9eb87
                                                                  • Opcode Fuzzy Hash: 5f0a053d685de22d4189bb576e3d89c485d4a09b6b9bbb8e19317190e97ce408
                                                                  • Instruction Fuzzy Hash: C3E19D357002508FDB14DF78D5A8A6A7BF2FF89200F1584A9E906DB3A2DB74DC46CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F08D0 Relevance: .4, Instructions: 377COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 750133b8b23e38cba9a8063d7f928cfaddf75b17b3f0e8b31650742d258fadc7
                                                                  • Instruction ID: 347577e0ba9ac6572bba8db940359a712d76541a00a4481e8872dc7b18aec968
                                                                  • Opcode Fuzzy Hash: 750133b8b23e38cba9a8063d7f928cfaddf75b17b3f0e8b31650742d258fadc7
                                                                  • Instruction Fuzzy Hash: 75E18C366002159FCF159FA1C958EA9BBB3FF4C310F0685A8E20A9B272DB36D955DF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F08C1 Relevance: .3, Instructions: 348COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1fbca69aae4e5a26016dd8a14ade10e327e265fa50fb02d798332d32e4cb47c5
                                                                  • Instruction ID: 5608a2c04e2288b1b16cd4175f8e6ce331013500d2be66fafb9ec2445473c88f
                                                                  • Opcode Fuzzy Hash: 1fbca69aae4e5a26016dd8a14ade10e327e265fa50fb02d798332d32e4cb47c5
                                                                  • Instruction Fuzzy Hash: B3D17B36600215DFDF159FA1C958EA9BBB3BF4C310F0645A8E60A9B272DB32D991DF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FF621 Relevance: .2, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c3225d1f778061b32c450757ef4ab65c1e841c6904a15906a1002914e30343de
                                                                  • Instruction ID: 3035fceffffc232088fe186f375439c0cd51f3dac75d29dcf76de1c6915f5df5
                                                                  • Opcode Fuzzy Hash: c3225d1f778061b32c450757ef4ab65c1e841c6904a15906a1002914e30343de
                                                                  • Instruction Fuzzy Hash: 7A618B757002108FC714DF78C5A8A6ABBF6FF89214B1648A9E506DB3B2CB74DC46CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FD508 Relevance: .2, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5643cb3fa4ef6221bf58c70d9d657e213bbd5246997a2155c85f5a7097d30d4b
                                                                  • Instruction ID: 4784658644fc0bf0ffe4d48276f639301b4433847a0bf38399988e3fd91239bc
                                                                  • Opcode Fuzzy Hash: 5643cb3fa4ef6221bf58c70d9d657e213bbd5246997a2155c85f5a7097d30d4b
                                                                  • Instruction Fuzzy Hash: 21512A34E01219EFCF15DFA4E8989EDBBB6BF88314F108029E906A7360DB349945CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FEA39 Relevance: .1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 734851244825030ef444447e0d95faa8bbd0687c5570bdcff16568b309b9e89b
                                                                  • Instruction ID: 695b0b5ae3ab13b88b6d18f9aa3e5bd996ce5c0b5ac6816ec72e168bf47f9851
                                                                  • Opcode Fuzzy Hash: 734851244825030ef444447e0d95faa8bbd0687c5570bdcff16568b309b9e89b
                                                                  • Instruction Fuzzy Hash: C0510634A01209DFDB54DFA4E598A9DBBB2FF88350F158554E916AB3A0DB30EC82CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F7568 Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d9404e1208c109d8d68db63664852bbd5a0487afbd066298ff9f0cfe10b608a8
                                                                  • Instruction ID: 5e6058c409d31d71f86f1d9727d6a1425ec37d33d201c2815d64e702ce1cdf1f
                                                                  • Opcode Fuzzy Hash: d9404e1208c109d8d68db63664852bbd5a0487afbd066298ff9f0cfe10b608a8
                                                                  • Instruction Fuzzy Hash: 18411335A05350CFC705AB78E46C4AA3FB6EF8621571048FED456CB7A9DB358C0ACB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FA828 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4936552459444720b420740a88b88f6a7b3cb487ed7ede0681b4ae6c0111ea49
                                                                  • Instruction ID: 9b68edf0d66da21afc38ae31e0bbf63fdbaa05d86e8c67073cc32e01b218b0e7
                                                                  • Opcode Fuzzy Hash: 4936552459444720b420740a88b88f6a7b3cb487ed7ede0681b4ae6c0111ea49
                                                                  • Instruction Fuzzy Hash: 0641F530B002459FDB14EBB9E9297AE7BB2BF85700F018879D505EB394DB789D09CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F8008 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0df1053c7776933dfa9d5a3dd653e823d5f7599e96d2129ae469f306b5216eed
                                                                  • Instruction ID: eb55c27eafe5205ba5ce953bc0fd83845f8294b5716d5c70f109725fcb6377fc
                                                                  • Opcode Fuzzy Hash: 0df1053c7776933dfa9d5a3dd653e823d5f7599e96d2129ae469f306b5216eed
                                                                  • Instruction Fuzzy Hash: 4C314A35704208DFD718DF68D5A8AAE7BF2AF88350F101568EA07AB3A4CF369C41CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F8168 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b2f317da2c99b00137d14d217b7b849c6eb8f613ad0b92bdcd46870dd2240dd7
                                                                  • Instruction ID: a2e7d7b9de7d5cbbd7cbb51804b0b8761a90ea8e786b4d3d91d19b46984913bd
                                                                  • Opcode Fuzzy Hash: b2f317da2c99b00137d14d217b7b849c6eb8f613ad0b92bdcd46870dd2240dd7
                                                                  • Instruction Fuzzy Hash: B22124317043509FCB18AB78A56C16E7BE79FC62057008D7ED51ACBB99DF349C0A8792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FB3A0 Relevance: .1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fb99546fa702ae82bc18c7ad2f6e00c419b2b71f9b41b8cccc7ad7fa8d12b54a
                                                                  • Instruction ID: 6c3c582d9720870de95a0d5f52648429f907e4c241aab7dd01983a75a3087ac1
                                                                  • Opcode Fuzzy Hash: fb99546fa702ae82bc18c7ad2f6e00c419b2b71f9b41b8cccc7ad7fa8d12b54a
                                                                  • Instruction Fuzzy Hash: 52316932E0075ACBDB10AFB8D801299B371FF99320F249B15E95977240EB74B5D0CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F7FF8 Relevance: .1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e6ac34312d244805f2522da063679a14d25d2fde0e69deb5690396d53dc5ab9
                                                                  • Instruction ID: dd33e1e30e419e0995aeab5798ea7d42ace53fcee5a80b5fed1f52f8d394e2c8
                                                                  • Opcode Fuzzy Hash: 5e6ac34312d244805f2522da063679a14d25d2fde0e69deb5690396d53dc5ab9
                                                                  • Instruction Fuzzy Hash: 63315C35704208DFD718DF68D5A8AAA7BF2BF89750F14106CE607AB3A4CB36AD41CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F53F0 Relevance: .1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92fc8ce893f7099f93c0c9089bcfa7a1586bc0268e48078fa881a2ded9a2268b
                                                                  • Instruction ID: ee94668146d58ae784540b7013b4d4bc014d534cc548ba1fe92c71db7c7b946c
                                                                  • Opcode Fuzzy Hash: 92fc8ce893f7099f93c0c9089bcfa7a1586bc0268e48078fa881a2ded9a2268b
                                                                  • Instruction Fuzzy Hash: 99313836901209EFCF01DFE1E95A9ACBFB2FB88310F108819EA11A7324DB766954DF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FF3F1 Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 816acaa9fb63a6cc010591a51e79387d19462fc77b840103667cbff734a54ae4
                                                                  • Instruction ID: 8d62b7ceb9b61c4da31fa6704f6e87942c5d8ac16b76539f79632577ceefc87d
                                                                  • Opcode Fuzzy Hash: 816acaa9fb63a6cc010591a51e79387d19462fc77b840103667cbff734a54ae4
                                                                  • Instruction Fuzzy Hash: 2B219F34701245DFDB01CF74D898A6A7BB1FF89350F148069EA028B362DB31DD42CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBE70 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 04dff457dc4fe065518f0f87c4d64493befcf36ca6584f31790e76040289b8cb
                                                                  • Instruction ID: 9789a45759c0d092e01f7eb09b62b3ee5c694145898ca06a1578f081c0914e5e
                                                                  • Opcode Fuzzy Hash: 04dff457dc4fe065518f0f87c4d64493befcf36ca6584f31790e76040289b8cb
                                                                  • Instruction Fuzzy Hash: B831613664F3C1CFC7165B38B41C2497FB1AB86211F1464AAD896CB39FC639844ACB67
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FB748 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1cf7a3f149492203cf113d5085578d27778756275be4c455dad3bd80f9ce98b8
                                                                  • Instruction ID: b678027565dfd77fc671d3a85d54524a89abc118dfb9877b7a828d2fd3a8f6f5
                                                                  • Opcode Fuzzy Hash: 1cf7a3f149492203cf113d5085578d27778756275be4c455dad3bd80f9ce98b8
                                                                  • Instruction Fuzzy Hash: C121A43670E1D0CBD72DAB34F02D3793BAAAF41655F04516DDA4786A8EDB298801CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBC10 Relevance: .1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 09394d3d107d0c87383cef52bf3b6adc29c54dfd612028adf10325ce0619b973
                                                                  • Instruction ID: 7b680b68cbd33598e80bb9dd53eaba68877e6c5eef509e140ce4af7827f8a678
                                                                  • Opcode Fuzzy Hash: 09394d3d107d0c87383cef52bf3b6adc29c54dfd612028adf10325ce0619b973
                                                                  • Instruction Fuzzy Hash: C3118130B017069BCB14EF69D8A499EB3B6FFC5214B104D29D1055BB61DF70BC1A87D5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F5600 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 029602a70207d0b2a609e7f97a51bea0dbe26c2bf0bd7b154bc1b75e746433c3
                                                                  • Instruction ID: 15b25fd698ae487ebc3cacef6adafb981057641c8df02bebddb92c87ca26dc7e
                                                                  • Opcode Fuzzy Hash: 029602a70207d0b2a609e7f97a51bea0dbe26c2bf0bd7b154bc1b75e746433c3
                                                                  • Instruction Fuzzy Hash: 2511C1312006059BCB60DF69D9908DAB3A6AFC52187018E38E5594B774EB71BD5EC7D0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBEA8 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e1c06d06462e8746d477b6d34fcf8c140a9482cad3c27efa69fdb4618fa421e
                                                                  • Instruction ID: 8dbaf6151130ce8567bbce785bb0e7dea6bae9c308cb6217d0054097dc02331a
                                                                  • Opcode Fuzzy Hash: 7e1c06d06462e8746d477b6d34fcf8c140a9482cad3c27efa69fdb4618fa421e
                                                                  • Instruction Fuzzy Hash: 15210D3560B3C0CFC7655B74B01C31D7FB1AB89212F14646AD8568639ECA398849DB67
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F4238 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fdde25df93d34e401d7abdd7a30ab1cedf03c47e7b91410d42845b31b7f9fd7e
                                                                  • Instruction ID: 65f56b0a0caa1e330096e9a4caa5a47e59360730eaade4d1b7f0325fa476a837
                                                                  • Opcode Fuzzy Hash: fdde25df93d34e401d7abdd7a30ab1cedf03c47e7b91410d42845b31b7f9fd7e
                                                                  • Instruction Fuzzy Hash: E0019A363002054B8F14B7B9E1A80BE72ABEFC92163448C28D0478BB08DF30AC4B87D6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBC00 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4d2740760175eda64df4f94061a94921e2feee5c823e45265890a7b17ff2461c
                                                                  • Instruction ID: e5770e51d6463f8726c8effe5f966c9f9dde85bb1c7a6dcf14b13d683952acae
                                                                  • Opcode Fuzzy Hash: 4d2740760175eda64df4f94061a94921e2feee5c823e45265890a7b17ff2461c
                                                                  • Instruction Fuzzy Hash: 91012430A053429FCB109F78D85449F7BB2FF82219B100D7AD1558BA31DB70AC1ACBE0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F7514 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e10867007c887f9732931ccc16b748b64c83b070a3a1f767932e02f806711354
                                                                  • Instruction ID: dedcad6a522a65dccd60e1dcf9ef3e0f3303ac49f68ec6ff3febbb22debd762e
                                                                  • Opcode Fuzzy Hash: e10867007c887f9732931ccc16b748b64c83b070a3a1f767932e02f806711354
                                                                  • Instruction Fuzzy Hash: 9901F235A483848FC70AAB78D06C0A43F72EF8320472549EFD092CBAABCB354C06CB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FC760 Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0d00c8465666ea4779a6724fdf83c64e5d52c60fc6d7f5f18369abc84c6e0c2c
                                                                  • Instruction ID: 1aec6d08b022b4a5795ef0dc2b7c04d7ab3372f9b6d09cd019454f0a7371ded0
                                                                  • Opcode Fuzzy Hash: 0d00c8465666ea4779a6724fdf83c64e5d52c60fc6d7f5f18369abc84c6e0c2c
                                                                  • Instruction Fuzzy Hash: B501BC352082058FC710DF29E59489ABBF6BF8531871588AAE546CBB32DB70ED06CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FD9F1 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e8c305096160a6753d76f83942d9e2e137abfce11c99ce417932a19150fbb46
                                                                  • Instruction ID: e2412dc97bd691a5a5011ca13f237019114b6769b07c3895e2f4ba4b20d85410
                                                                  • Opcode Fuzzy Hash: 1e8c305096160a6753d76f83942d9e2e137abfce11c99ce417932a19150fbb46
                                                                  • Instruction Fuzzy Hash: C9F0C232A0A2944FD3258A65E8586FAFFB5EFC2210F0841BAD546DB261D7754804C7A0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FC770 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 71af7cd9e2f8f49b674b8d37213bd76db2f6cc68d966476f74a856e59324498a
                                                                  • Instruction ID: a0852aa5b0ab7121186bb9a66e804a3bfdac92f483c43b9d1e26f0bdaa73ca95
                                                                  • Opcode Fuzzy Hash: 71af7cd9e2f8f49b674b8d37213bd76db2f6cc68d966476f74a856e59324498a
                                                                  • Instruction Fuzzy Hash: 7B0169352006058FC754DF29E544C9AB7E6BF842147158869E6068BB25DBB0FD06CBD0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBAD0 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05b2b5c47c72ca5bcef66b468ca17eb17db008dd7bca69eb0ee7b3625eb4fe9a
                                                                  • Instruction ID: 91c95baaed40b3ec976fdbb51fdb6c4779029d9c7ca55e64aee349a3e83faf27
                                                                  • Opcode Fuzzy Hash: 05b2b5c47c72ca5bcef66b468ca17eb17db008dd7bca69eb0ee7b3625eb4fe9a
                                                                  • Instruction Fuzzy Hash: 84016931E022198FCBA0DF68E9089DEBFF1FF89310B004A6AD409E7224D7709A05CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBA70 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 928e571a594c8929cf26529656a5b1849c381c8bf25d94c298094e21d00657a1
                                                                  • Instruction ID: b98945ae34fd1969b64ec2cab2348bf8b4e7096e5a8a8661934324b7ffec0f6e
                                                                  • Opcode Fuzzy Hash: 928e571a594c8929cf26529656a5b1849c381c8bf25d94c298094e21d00657a1
                                                                  • Instruction Fuzzy Hash: 95F0A73230B3C4ABC3121779B86949A7F69DBC7224B140CEAE044CB313CA650C09D7B6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F3520 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3195f261fafd0f7c66c11bd8d3eddc85cfc1c122f84ab702715bfbb62c426562
                                                                  • Instruction ID: e831f6b6ca9b17e307e7b0f48366776e7250f93ce9c2130b1374520f30e15c0a
                                                                  • Opcode Fuzzy Hash: 3195f261fafd0f7c66c11bd8d3eddc85cfc1c122f84ab702715bfbb62c426562
                                                                  • Instruction Fuzzy Hash: 1FF0FF35A01249EFCB40EFB8F59E49C7BB1FB85205B104CAAD409E7358EB345E49CB66
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBCD0 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce1ffdb32925d4d3fde6a185d9a73856027fc7ce850e913336c3c28fc7771e94
                                                                  • Instruction ID: 716793214857590cc9f66080f1c9a3143793d8c06d2047afaac2f16bd296a45d
                                                                  • Opcode Fuzzy Hash: ce1ffdb32925d4d3fde6a185d9a73856027fc7ce850e913336c3c28fc7771e94
                                                                  • Instruction Fuzzy Hash: 14F0E93630B6918FC3068F68D4548497FB5BF8662030A81DAE589CBB32CB24ED51C7D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FD6DD Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a9616804cf4d8a8707af9f9c238385abbab2b17587af85ba2266267238e31078
                                                                  • Instruction ID: 2343815465b23d95e98afaf1c1f9b73557c0d7002a30b61366c30cfdab9f49df
                                                                  • Opcode Fuzzy Hash: a9616804cf4d8a8707af9f9c238385abbab2b17587af85ba2266267238e31078
                                                                  • Instruction Fuzzy Hash: 5501F234A06219AFDF01CF90E959FEEBB72BF48314F204014E902BB2A0C7349945DBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBAE0 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d7327e2ac9907dd4760189b14b5a4d2ed088f664d6d268103e5aacaea4198f18
                                                                  • Instruction ID: 6e2b0999bf9a3b2d4e42860b5a6c2dffd91383905bf3c8a5ed821d741037b53d
                                                                  • Opcode Fuzzy Hash: d7327e2ac9907dd4760189b14b5a4d2ed088f664d6d268103e5aacaea4198f18
                                                                  • Instruction Fuzzy Hash: 29F0F970E012198FCB94DF69E8085DEBBF5FF88711F00492AD919E3314D7706A058BD5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F8274 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7fe168c5e6a37c13196950466300b5e4de73c21b07bacb775e59ca1f519cdd91
                                                                  • Instruction ID: ffde45a820afb983df851987c6126f10402685a031dff88a0852e5e86425285e
                                                                  • Opcode Fuzzy Hash: 7fe168c5e6a37c13196950466300b5e4de73c21b07bacb775e59ca1f519cdd91
                                                                  • Instruction Fuzzy Hash: 8BF02B3194D6C48FC725CBB95A4A095BFE4EE2A200744049FC4458E83DD324A015D785
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F33B0 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75a60f2aa8654aadd24552a45bfe4dad359863c9ec9785521dbe2ff7467eca34
                                                                  • Instruction ID: 6887d8d0ba0c576e7ff85080aad5c078eae4fd8a10fd3be68a84faa680dbddb1
                                                                  • Opcode Fuzzy Hash: 75a60f2aa8654aadd24552a45bfe4dad359863c9ec9785521dbe2ff7467eca34
                                                                  • Instruction Fuzzy Hash: 13E09B333002405BC714269BB49CAAA77DDEBC5311B100C2DE20EC7345CB611C49C3A6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBCE0 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: da81d73cccbac96c49c97f301ba4e10267b50b9b7f72ab052248334f997f1f13
                                                                  • Instruction ID: 52d09b01e70d444577b86f44591cc885c16d5625e19107fc3094a23b497cc4af
                                                                  • Opcode Fuzzy Hash: da81d73cccbac96c49c97f301ba4e10267b50b9b7f72ab052248334f997f1f13
                                                                  • Instruction Fuzzy Hash: 70F0E5363065255FC3149F29D404C49B7B9AF81A20315826AE44987722CF20ED41C7C1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F4348 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7945199d8eedd0cbf3f91bbf1ef2ca3a2bbb3eec0f65ed8bbc2257709f67ceff
                                                                  • Instruction ID: 0c573bf4c5edd978432a50ab0cea8657fdd183275c4d9c1d484b49d86b04a53e
                                                                  • Opcode Fuzzy Hash: 7945199d8eedd0cbf3f91bbf1ef2ca3a2bbb3eec0f65ed8bbc2257709f67ceff
                                                                  • Instruction Fuzzy Hash: C3F09071901B048FD314DF26E50C512BBF6FB88310700892DE44A82B28DF74A509CF85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FEEF8 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3fa676ca6fed09a61931a79a642fcbaee30c1cc0f5b245d1d9bd4d50c0416fc0
                                                                  • Instruction ID: feb00c056b0dcf162a18b10ec821bfedfbc3b8a08636378343a400aa411ffc7c
                                                                  • Opcode Fuzzy Hash: 3fa676ca6fed09a61931a79a642fcbaee30c1cc0f5b245d1d9bd4d50c0416fc0
                                                                  • Instruction Fuzzy Hash: 89E0DF35A0A2C46FC7428A7859185CF7FB999C6120B0A81FBD14CD7112EA288518C7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FDB29 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5c1a85dfc4956a03221133a6e8d2f8c57ed066a3809d0e8ffb4bd8fd23da9ab1
                                                                  • Instruction ID: 57a8413b0fe2257a590a058c8fb5a4e653523627da53ed5b3ffd5806969db90f
                                                                  • Opcode Fuzzy Hash: 5c1a85dfc4956a03221133a6e8d2f8c57ed066a3809d0e8ffb4bd8fd23da9ab1
                                                                  • Instruction Fuzzy Hash: A6F0F2B1D182499F8B94CFA9E4065EEBFF1AB4A300B1081AAD958E3210EB344641CF80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBA80 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8b31e866fa77b51d1728c2bdf71d5c836f4e42010d21a10e2a34cccb42a392eb
                                                                  • Instruction ID: cab5d42d98aaf3937607c29925d82829c4e7fa456e2a4ed12d16e10fdf53db09
                                                                  • Opcode Fuzzy Hash: 8b31e866fa77b51d1728c2bdf71d5c836f4e42010d21a10e2a34cccb42a392eb
                                                                  • Instruction Fuzzy Hash: F7E02632302244ABC71426AAB86D89FBB5EE7CA331B004839E50983305CF750C04C3F9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F42E8 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2fee0b38077470c7956453f20ebb79822acc3ede5fa16fae5ebc22a848bf5b6f
                                                                  • Instruction ID: 3f2f78ef4fc136f36e93f293542700b374c67dda34555177ff1124ef2e19dc7a
                                                                  • Opcode Fuzzy Hash: 2fee0b38077470c7956453f20ebb79822acc3ede5fa16fae5ebc22a848bf5b6f
                                                                  • Instruction Fuzzy Hash: A6E065322007908FC724976DE41865A7BEAABC5319F000C2DD14687B14DB626849C7D6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FA818 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 729ec317a9d2299be317fc2cf118cec119ab46ee9e9227260b7d6d7afee08a32
                                                                  • Instruction ID: 68d4b10ba7922bc64ba0498cca6d15e0afd3c169dd1cadfe007cebc47309aadc
                                                                  • Opcode Fuzzy Hash: 729ec317a9d2299be317fc2cf118cec119ab46ee9e9227260b7d6d7afee08a32
                                                                  • Instruction Fuzzy Hash: 4AE0DF346091808FC315EB78EA184953FB4AF0661171902EAE58BCBAB5D731DC00CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F04BC Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 962c5849ee02486f4fdb73d8838fce8a0b68d410747f29338d877c745cace295
                                                                  • Instruction ID: 49cd88c690301447d25d067b0645dc34f78b23c99d3f37019be9940714b473e8
                                                                  • Opcode Fuzzy Hash: 962c5849ee02486f4fdb73d8838fce8a0b68d410747f29338d877c745cace295
                                                                  • Instruction Fuzzy Hash: 39E0D835509184DBC720CB64C5654B57B72EB4B2043050EC9E8464B662D7595D57DB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F6440 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4f9a0aa44436280afcf61d8bf8b699a8d1172c24435f219e3178d18e4f5c518c
                                                                  • Instruction ID: cd1552f3030ef60ba1ed81a42d708e1dc28023804feb7ae2e963d5be5c814d5b
                                                                  • Opcode Fuzzy Hash: 4f9a0aa44436280afcf61d8bf8b699a8d1172c24435f219e3178d18e4f5c518c
                                                                  • Instruction Fuzzy Hash: 0BE0D8311056509FDB41EB34F47A9E83B71FB4B318B0519ECD0458B795C7342C06C791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F4E08 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a685213691ef484a1105975114ae72cd21dd5bc4c20323b3a21663e5f7ecbff8
                                                                  • Instruction ID: 2caa4906d9af6647bd551ca851cbb83cc4416ad01fe7e47dabb2737fd5cdae8c
                                                                  • Opcode Fuzzy Hash: a685213691ef484a1105975114ae72cd21dd5bc4c20323b3a21663e5f7ecbff8
                                                                  • Instruction Fuzzy Hash: CEE09231105250AFCB06DB34E46AA953B61FB47318B1517DED0504B365C7251846CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FA9F0 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9ef294095eb0e35158742c21019b1a330cfea4bf201271f15246027c181eec1b
                                                                  • Instruction ID: 3ad10acf743ba79e3cbe6d4f9bc4d73fe0ac7a0310c1cf026a9ccf3e249eee7c
                                                                  • Opcode Fuzzy Hash: 9ef294095eb0e35158742c21019b1a330cfea4bf201271f15246027c181eec1b
                                                                  • Instruction Fuzzy Hash: C5E026322083589FC709EBB854240C93F728E02128B0604DFC044DB945D67109088784
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F75B0 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6912aa875ecfacc57b67a3fc2ab2c33aee52850dae14f7bc32099f0a870f5562
                                                                  • Instruction ID: afce5981f1bdffdcbce7a13caf464904cd878ba6fbca89fc61d05bacecfc3c51
                                                                  • Opcode Fuzzy Hash: 6912aa875ecfacc57b67a3fc2ab2c33aee52850dae14f7bc32099f0a870f5562
                                                                  • Instruction Fuzzy Hash: 95E08C36A483508FC709AB38A0284F87F76EE8721432949EFD456CB5AACB224805CB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F3368 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d451ce8f2f190899c495a0058caa9d216af7006c5986bf59c36f47ccc63e62e
                                                                  • Instruction ID: da71971e2ed542c207cb9b984052b8019a77f5f9efbc8234a199727c2ba4c852
                                                                  • Opcode Fuzzy Hash: 2d451ce8f2f190899c495a0058caa9d216af7006c5986bf59c36f47ccc63e62e
                                                                  • Instruction Fuzzy Hash: 27D05B373001645B8A146769BC1C4AD779ADFC56213041829E107C774ACF711C1647D6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FBA28 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a3d3579a38576a6c82fc8846dcfa23ebe679e701c880bc0f93abba9bd9e47c3
                                                                  • Instruction ID: d7346f83f32bd8c66df117bf7ad69d421fcad79408d103a63760af6ce28d0c98
                                                                  • Opcode Fuzzy Hash: 6a3d3579a38576a6c82fc8846dcfa23ebe679e701c880bc0f93abba9bd9e47c3
                                                                  • Instruction Fuzzy Hash: 12E0927A90E2809FDB46DB35D0176097BB1AF82320F1580DAC0518B266C7398904CB52
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FDB38 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 575005edccc56341de13c27ee873a17ccf17e939c315798bdd7e331238f42c66
                                                                  • Instruction ID: 7ec13ad9db690f3709b68a480cceffae0323ed06f92af4b8d6762fc1c32b8719
                                                                  • Opcode Fuzzy Hash: 575005edccc56341de13c27ee873a17ccf17e939c315798bdd7e331238f42c66
                                                                  • Instruction Fuzzy Hash: 85E092B4D0420E9F8B94DFA9E4465BEFFF4AB58301F10816AE918E2240E7345A91CFD1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F045A Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d4f278e354715e2d8dca83ce7bf42c89a0a35f92395c6549a12c629d7cd7914b
                                                                  • Instruction ID: 0112dff72b3a9a6a7e3a971a5285abeb08748194d6fd0f28ad80972e4b3523dd
                                                                  • Opcode Fuzzy Hash: d4f278e354715e2d8dca83ce7bf42c89a0a35f92395c6549a12c629d7cd7914b
                                                                  • Instruction Fuzzy Hash: 05E086B1D05208DFCF40DFE4DB5165D7BB0EB92209B1A0DA9C009E7350DA315E04CF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F0468 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1ae365074407ce82af68ffaad6d4304d24dccf24f3ecb809451b1d7d8ba84775
                                                                  • Instruction ID: 25c9eaea64070201c996ceeaab34bc15d549ac5929cc0d8acd94121ebc53a91a
                                                                  • Opcode Fuzzy Hash: 1ae365074407ce82af68ffaad6d4304d24dccf24f3ecb809451b1d7d8ba84775
                                                                  • Instruction Fuzzy Hash: 7DD01730A0120CEB8F40DFA8DA5249DBBB9EB86208B1448A8D409E7310EB312E049B80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FAA00 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 849811136d5d631fa066729d2ea625ce389325471c915b01160460ffe0464ac8
                                                                  • Instruction ID: ba8a395281482b45032de56011c19352cd62a081cf5bd74c5cf0b34cc0f019df
                                                                  • Opcode Fuzzy Hash: 849811136d5d631fa066729d2ea625ce389325471c915b01160460ffe0464ac8
                                                                  • Instruction Fuzzy Hash: 30D0223260832C2B0B18EAEC64014CE7BADCA84034F00086BC508E7B00EEB01D0402D5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051FA9D0 Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b017260fe236aa418c252048f8c92677d3ca49947fbe20e0522e4a4b7eb4b55
                                                                  • Instruction ID: eb34945e149962d77d6c1040b6ce22212037db4b8bb255b1e2488594fa7b8d9b
                                                                  • Opcode Fuzzy Hash: 7b017260fe236aa418c252048f8c92677d3ca49947fbe20e0522e4a4b7eb4b55
                                                                  • Instruction Fuzzy Hash: 31C08C7140E2C00FC707BB3C8DB40043F30AC4B10034B01CAC0408E46BC202280CC321
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 051F0440 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f2d86c37b4faf652a944e3b2be08cc995fa5507de86bccc3a577d083ed55a5be
                                                                  • Instruction ID: 53f6a2a0fd14ad97232d84dcd45a06fed46bc7f65f546a4b459db660708bcb6b
                                                                  • Opcode Fuzzy Hash: f2d86c37b4faf652a944e3b2be08cc995fa5507de86bccc3a577d083ed55a5be
                                                                  • Instruction Fuzzy Hash: 68B012F3824541A6D70B04B888547855780B732E56FCF1B96C440E24C4E006D51A4021
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 051F5200 Relevance: 8.9, Strings: 7, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.707363058.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_51f0000_AppLaunch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `|*$`|*$`|*$`|*$`|*$`|*$`|*
                                                                  • API String ID: 0-3973499967
                                                                  • Opcode ID: 5cc5776c4ebb1213702fb123c2f25d2398bc9ac4217877cdc19ed6ed46f1248c
                                                                  • Instruction ID: 5624c3eef4f6ed1586cea4c32756f56276ccbae936dfdab610ee56733dd9564d
                                                                  • Opcode Fuzzy Hash: 5cc5776c4ebb1213702fb123c2f25d2398bc9ac4217877cdc19ed6ed46f1248c
                                                                  • Instruction Fuzzy Hash: C4412976E00249AFCB40EFA4F99D89DBBBAFF48301F109925E515A3358DB341905CFA6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%