Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XMLSAT++.exe

Overview

General Information

Sample name:XMLSAT++.exe
Analysis ID:1428358
MD5:871758a2ed01cd34e3db8449c9f830d5
SHA1:083b1d6e622022ebda5200a62c39cf7061178419
SHA256:8dc574c5ad0a26d4b25f3ec405ae14bf2e4c99b1dff8bc07b3db99e2db896a19
Infos:

Detection

PureLog Stealer, RedLine
Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Uses Windows timers to delay execution
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • XMLSAT++.exe (PID: 828 cmdline: "C:\Users\user\Desktop\XMLSAT++.exe" MD5: 871758A2ED01CD34E3DB8449C9F830D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XMLSAT++.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    XMLSAT++.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 9F 88 44 24 2B 88 44 24 2F B0 CB 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: XMLSAT++.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: XMLSAT++.exeStatic PE information: certificate valid
      Source: XMLSAT++.exe, 00000000.00000003.1245589383.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245696954.000000000C4B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
      Source: XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/bJ
      Source: XMLSAT++.exe, 00000000.00000003.1257557384.0000000003BED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/n
      Source: XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como.jp/
      Source: XMLSAT++.exe, 00000000.00000003.1245238958.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244832478.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245339469.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244940337.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244675614.000000000C4B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: XMLSAT++.exe, 00000000.00000003.1245238958.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244832478.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245339469.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244940337.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244675614.000000000C4B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comF8
      Source: XMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: XMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnar
      Source: XMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnion
      Source: XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-de
      Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:J
      Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/TJ
      Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
      Source: XMLSAT++.exe, 00000000.00000003.1252032890.000000000C483000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/bJ
      Source: XMLSAT++.exe, 00000000.00000003.1252032890.000000000C483000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/in
      Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/bJ
      Source: XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/kJ
      Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l-gOJ
      Source: XMLSAT++.exe, 00000000.00000003.1263717219.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263369312.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263259643.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264307838.000000000C4BA000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264130566.000000000C4BA000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263458483.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264410365.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263782385.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263068295.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263548162.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264011528.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263649120.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263135323.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263927429.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263862484.000000000C4BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFolios
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFolios/AuxiliarFolios_1
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFolios/AuxiliarFolios_1_3.xsd
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_3.xsd
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_3.xsd0
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_3.xsd
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_3.xsd0
      Source: XMLSAT++.exe, 00000000.00000003.1245818384.000000000C48E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
      Source: XMLSAT++.exe, 00000000.00000003.1245818384.000000000C48E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netu
      Source: XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
      Source: XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-c
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licencias.construapps.com/api2
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licencias.construapps.com/api2/api/createTicket.php
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licencias.construapps.com/api2/register.php
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licencias.construapps.com/api2/register.php4
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licencias.construapps.com/api2/validate.php?uuid=
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licencias.construapps.com/api2/validate.php?uuid=4
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licencias.construapps.com/api24

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: XMLSAT++.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03C79E780_2_03C79E78
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03C7118D0_2_03C7118D
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03C711A80_2_03C711A8
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03DC00400_2_03DC0040
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03DC24200_2_03DC2420
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03DC29780_2_03DC2978
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03DD3FEC0_2_03DD3FEC
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03DD5B420_2_03DD5B42
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $bq,\\StringFileInfo\\040904B0\\OriginalFilename vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesystem.data.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $bq,\\StringFileInfo\\040904B0\\OriginalFilename vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesystem.data.dllT vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $bq,\\StringFileInfo\\040904B0\\OriginalFilename@f vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000003.1186890945.000000000202B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs XMLSAT++.exe
      Source: XMLSAT++.exe, 00000000.00000003.1186890945.000000000202B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamempclient.dllj% vs XMLSAT++.exe
      Source: XMLSAT++.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: XMLSAT++.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
      Source: classification engineClassification label: mal51.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\XMLSAT++.exeFile created: C:\Users\user\Desktop\dbDATOS33.dbJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMutant created: NULL
      Source: XMLSAT++.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\XMLSAT++.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENPAGOS10v2 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENRENOMBRADO40 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENREPORTE33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table XML (`id`INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,`uuid` TEXT Not NULL, carpeta1 TEXT Not NULL,`carpeta2` TEXT Not NULL,`integridad` TEXT Not NULL);
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS42 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));@f
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS32 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENXMLMULTIRFC (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));L
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENRENOMBRADO (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENPAGOS204 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENREPORTE40 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENRENOMBRADO_33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENPDFSELENIUM (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));@f
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENRENOMBRADO_33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));@f
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENNOMINA12FOLDER (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENPAGOS10v2 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bqF
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENRESUMEN (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENRESUMEN (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENRENOMBRADO (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS33VOLUMENES2 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENXMLSELENIUM (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOSGLOBAL (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS33_E (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table XML (`id`INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,`uuid` TEXT Not NULL, carpeta1 TEXT Not NULL,`carpeta2` TEXT Not NULL,`integridad` TEXT Not NULL);0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS32 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENXMLSELENIUM (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENRENOMBRADO40 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS42 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS33_E (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENPAGOS204 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENREPORTE40 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));3@f
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENXMLMULTIRFC (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENPDFSELENIUM (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENXMLMULTIRFC (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENNOMINA12FOLDER (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOSGLOBAL (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`)); @f
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENDATOS33VOLUMENES2 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: create table ORDENREPORTE33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\XMLSAT++.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: XMLSAT++.exeStatic PE information: certificate valid
      Source: XMLSAT++.exeStatic file information: File size 27361688 > 1048576
      Source: XMLSAT++.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x19f3400
      Source: XMLSAT++.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03DC41D7 push esi; iretd 0_2_03DC41E0
      Source: C:\Users\user\Desktop\XMLSAT++.exeCode function: 0_2_03DDD797 push eax; mov dword ptr [esp], ecx0_2_03DDD7AC
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Uses Windows timers to delay execution
      Source: C:\Users\user\Desktop\XMLSAT++.exeUser Timer Set: Timeout: 100msJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 3C70000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 87B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 3DA0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: D9B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 109B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 13870000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: B3E0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: E0C0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: F0C0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 194E0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 100C0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 1A4E0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 1C4E0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: 1F4E0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exe TID: 2956Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\XMLSAT++.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: XMLSAT++.exe, 00000000.00000003.1241066389.000000000206E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfs
      Source: XMLSAT++.exe, 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n8AfcyPAfS5VU1iqeMu6
      Source: XMLSAT++.exe, 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TuP2g5QEMUSsokfDULDs
      Source: XMLSAT++.exe, 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qoxqEMUB5QDevPaQaBUl
      Source: XMLSAT++.exe, 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cG54pLHGFSi6oO8N3gY3
      Source: C:\Users\user\Desktop\XMLSAT++.exeProcess token adjusted: DebugJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\XMLSAT++.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XMLSAT++.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Yara detected RedLine Stealer
      Source: Yara matchFile source: XMLSAT++.exe, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Yara detected RedLine Stealer
      Source: Yara matchFile source: XMLSAT++.exe, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Disable or Modify Tools      		LSASS Memory131
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
      Virtualization/Sandbox Evasion      		Security Account Manager12
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      DLL Side-Loading      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://fontfabrik.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://licencias.construapps.com/api2XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
          		unknown
          http://www.fontbureau.com/bJXMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_3.xsdXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://www.jiyu-kobo.co.jp/-deXMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://licencias.construapps.com/api2/register.php4XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentasXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://www.jiyu-kobo.co.jp/:JXMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFoliosXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.jiyu-kobo.co.jp/a-dXMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.fonts.comF8XMLSAT++.exe, 00000000.00000003.1245238958.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244832478.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245339469.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244940337.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244675614.000000000C4B5000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.founder.com.cn/cnarXMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_3.xsdXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://licencias.construapps.com/api24XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.fontbureau.como.jp/XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFolios/AuxiliarFolios_1_3.xsdXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_3.xsd0XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.zhongyicts.com.cnr-cXMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/l-gOJXMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.founder.com.cn/cnionXMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/bJXMLSAT++.exe, 00000000.00000003.1252032890.000000000C483000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_3.xsd0XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/inXMLSAT++.exe, 00000000.00000003.1252032890.000000000C483000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://fontfabrik.comXMLSAT++.exe, 00000000.00000003.1245589383.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245696954.000000000C4B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnXMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://licencias.construapps.com/api2/api/createTicket.phpXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.typography.netXMLSAT++.exe, 00000000.00000003.1245818384.000000000C48E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/bJXMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.zhongyicts.com.cno.XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/TJXMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.typography.netuXMLSAT++.exe, 00000000.00000003.1245818384.000000000C48E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.fonts.comXMLSAT++.exe, 00000000.00000003.1245238958.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244832478.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245339469.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244940337.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244675614.000000000C4B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers/nXMLSAT++.exe, 00000000.00000003.1257557384.0000000003BED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://licencias.construapps.com/api2/validate.php?uuid=4XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFolios/AuxiliarFolios_1XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.zhongyicts.com.cnXMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.jiyu-kobo.co.jp/kJXMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://licencias.construapps.com/api2/register.phpXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.sakkal.comXMLSAT++.exe, 00000000.00000003.1263717219.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263369312.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263259643.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264307838.000000000C4BA000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264130566.000000000C4BA000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263458483.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264410365.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263782385.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263068295.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263548162.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264011528.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263649120.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263135323.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263927429.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263862484.000000000C4BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacionXMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://licencias.construapps.com/api2/validate.php?uuid=XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown

                                                                                              World Map of Contacted IPs

                                                                                              No contacted IP infos

                                                                                              General Information

                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                              Analysis ID:1428358
                                                                                              Start date and time:2024-04-18 21:12:24 +02:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 5m 46s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:16
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:XMLSAT++.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal51.troj.evad.winEXE@1/0@0/0
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 97%
                                                                                              • Number of executed functions: 156
                                                                                              • Number of non-executed functions: 8
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, evoke-windowsservices-tas.msedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                              • VT rate limit hit for: XMLSAT++.exe

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              No simulations

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              No context

                                                                                              Domains

                                                                                              No context

                                                                                              ASNs

                                                                                              No context

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              No created / dropped files found

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):7.999796813877984
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:XMLSAT++.exe
                                                                                              File size:27'361'688 bytes
                                                                                              MD5:871758a2ed01cd34e3db8449c9f830d5
                                                                                              SHA1:083b1d6e622022ebda5200a62c39cf7061178419
                                                                                              SHA256:8dc574c5ad0a26d4b25f3ec405ae14bf2e4c99b1dff8bc07b3db99e2db896a19
                                                                                              SHA512:5c03aa3a4b84a36e6748fa56e6044771f68d89661fd85a6bafb6c1c57db3e02923b496f08d184dccb872221a464ca8a196133aa434fbf0ae2bde2adf2ca0a323
                                                                                              SSDEEP:786432:DqtdCN5SyRa35KBjMxx/ElfA6CEYBfTUxw1j:GT4xap2cRElfA6CX1j
                                                                                              TLSH:8A5733101875C0A2E75EB13000E4D13F281A3DE267915AD72FEA37E97D76AC987A17CB
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~...................f....PE..L...t..P..........#........

                                                                                              File Icon

                                                                                              Icon Hash:1d8ce9713466e769

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x40cd2f
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:true
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:5
                                                                                              OS Version Minor:0
                                                                                              File Version Major:5
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:5
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:bf5a4aa99e5b160f8521cadd6bfe73b8

                                                                                              Authenticode Signature

                                                                                              Signature Valid:true
                                                                                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                              Signature Validation Error:The operation completed successfully
                                                                                              Error Number:0
                                                                                              Not Before, Not After
                                                                                              • 27/02/2024 01:00:00 01/03/2025 00:59:59
                                                                                              Subject Chain
                                                                                              • CN=SOFTWARE PAQ SAS, O=SOFTWARE PAQ SAS, L=OAXACA DE JUAREZ, S=Oaxaca, C=MX, SERIALNUMBER=SPA1710063C9, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=MX
                                                                                              Version:3
                                                                                              Thumbprint MD5:C1379983CD7A9F3D82075ACD6A43DA7B
                                                                                              Thumbprint SHA-1:B8FB07A524C6736EC6CC8E3DB9CBB113CD376CF1
                                                                                              Thumbprint SHA-256:E201E07729E6B806A4F8598B3C1879FF150E0EC7E3F5643B474C97B27F7C625A
                                                                                              Serial:09CB7EA0481A37E6B112D322F94824B3

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              call 00007F280522AF76h
                                                                                              jmp 00007F2805225139h
                                                                                              mov edi, edi
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              sub esp, 20h
                                                                                              mov eax, dword ptr [ebp+08h]
                                                                                              push esi
                                                                                              push edi
                                                                                              push 00000008h
                                                                                              pop ecx
                                                                                              mov esi, 0041F058h
                                                                                              lea edi, dword ptr [ebp-20h]
                                                                                              rep movsd
                                                                                              mov dword ptr [ebp-08h], eax
                                                                                              mov eax, dword ptr [ebp+0Ch]
                                                                                              pop edi
                                                                                              mov dword ptr [ebp-04h], eax
                                                                                              pop esi
                                                                                              test eax, eax
                                                                                              je 00007F280522529Eh
                                                                                              test byte ptr [eax], 00000008h
                                                                                              je 00007F2805225299h
                                                                                              mov dword ptr [ebp-0Ch], 01994000h
                                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                                              push eax
                                                                                              push dword ptr [ebp-10h]
                                                                                              push dword ptr [ebp-1Ch]
                                                                                              push dword ptr [ebp-20h]
                                                                                              call dword ptr [0041B000h]
                                                                                              leave
                                                                                              retn 0008h
                                                                                              ret
                                                                                              mov eax, 00413563h
                                                                                              mov dword ptr [004228E4h], eax
                                                                                              mov dword ptr [004228E8h], 00412C4Ah
                                                                                              mov dword ptr [004228ECh], 00412BFEh
                                                                                              mov dword ptr [004228F0h], 00412C37h
                                                                                              mov dword ptr [004228F4h], 00412BA0h
                                                                                              mov dword ptr [004228F8h], eax
                                                                                              mov dword ptr [004228FCh], 004134DBh
                                                                                              mov dword ptr [00422900h], 00412BBCh
                                                                                              mov dword ptr [00422904h], 00412B1Eh
                                                                                              mov dword ptr [00422908h], 00412AABh
                                                                                              ret
                                                                                              mov edi, edi
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              call 00007F280522522Bh
                                                                                              call 00007F280522BAB0h
                                                                                              cmp dword ptr [ebp+00h], 00000000h

                                                                                              Rich Headers

                                                                                              Programming Language:
                                                                                              • [ASM] VS2008 build 21022
                                                                                              • [IMP] VS2005 build 50727
                                                                                              • [C++] VS2008 build 21022
                                                                                              • [ C ] VS2008 build 21022
                                                                                              • [LNK] VS2008 build 21022

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x19f3360.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x1a154000x2d98.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x197180x1980013688a17a03bd96742400559381dd5adFalse0.5789483762254902data6.748665150891542IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x1b0000x6db40x6e005826801f33fc1b607aa8e942aa92e9faFalse0.5467329545454546data6.442956247632331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x220000x30c00x16002fe51a72ede820cd7cf55a77ba59b1f4False0.3126775568181818data3.2625868398009703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0x260000x19f33600x19f34002afb22893ce67ae1aa62947243daa605unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0x262740x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m0.5478723404255319
                                                                                              RT_ICON0x266dc0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m0.3721311475409836
                                                                                              RT_ICON0x270640x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m0.2840056285178236
                                                                                              RT_ICON0x2810c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m0.18288381742738588
                                                                                              RT_ICON0x2a6b40x2e79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9866352862066067
                                                                                              RT_RCDATA0x2d5300x19eac61data1.0003108978271484
                                                                                              RT_RCDATA0x1a181940x20data1.34375
                                                                                              RT_GROUP_ICON0x1a181b40x4cdata0.7763157894736842
                                                                                              RT_VERSION0x1a182000x380data0.4095982142857143
                                                                                              RT_MANIFEST0x1a185800xde0XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.39864864864864863

                                                                                              Imports

                                                                                              DLLImport
                                                                                              KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                                                                                              ole32.dllOleInitialize
                                                                                              OLEAUT32.dllSafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

                                                                                              Network Behavior

                                                                                              No network behavior found

                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:21:12:58
                                                                                              Start date:18/04/2024
                                                                                              Path:C:\Users\user\Desktop\XMLSAT++.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\XMLSAT++.exe"
                                                                                              Imagebase:0x400000
                                                                                              File size:27'361'688 bytes
                                                                                              MD5 hash:871758A2ED01CD34E3DB8449C9F830D5
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:11.7%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:3
                                                                                                Total number of Limit Nodes:0
                                                                                                execution_graph 24176 3dc98d0 24177 3dc9915 MessageBoxW 24176->24177 24179 3dc995c 24177->24179

                                                                                                Executed Functions

                                                                                                Function 03C79E78 Relevance: 5.7, Strings: 4, Instructions: 709COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 263 3c79e78-3c79eaa 265 3c7a311-3c7a32f 263->265 266 3c79eb0-3c79ec4 263->266 271 3c7a75d-3c7a769 265->271 267 3c79ec6 266->267 268 3c79ecb-3c79f76 call 3c71430 266->268 267->268 312 3c79f7c-3c79f8c 268->312 272 3c7a76f-3c7a77d 271->272 273 3c7a33d-3c7a349 271->273 276 3c7a750-3c7a755 273->276 277 3c7a34f-3c7a3dc call 3c71430 273->277 283 3c7a75a 276->283 298 3c7a3f4-3c7a40d 277->298 299 3c7a3de-3c7a3e4 277->299 283->271 304 3c7a40f-3c7a445 298->304 305 3c7a44a-3c7a488 298->305 301 3c7a3e6 299->301 302 3c7a3e8-3c7a3ea 299->302 301->298 302->298 304->283 324 3c7a4ad-3c7a4c7 call 3c71430 305->324 325 3c7a48a-3c7a4ab 305->325 316 3c7a253-3c7a277 312->316 317 3c79f92-3c79f9a 312->317 327 3c7a2fb-3c7a301 316->327 318 3c79fa1-3c79fa9 317->318 319 3c79f9c-3c79fa0 317->319 322 3c79fae-3c79fd0 318->322 323 3c79fab 318->323 319->318 334 3c79fd5-3c79fdb 322->334 335 3c79fd2 322->335 323->322 344 3c7a4ce-3c7a4d4 324->344 325->344 329 3c7a303 327->329 330 3c7a30e 327->330 329->330 330->265 338 3c79fe1-3c79ffb 334->338 339 3c7a1dd-3c7a1e8 334->339 335->334 342 3c7a040-3c7a049 338->342 343 3c79ffd-3c7a001 338->343 340 3c7a1ed-3c7a223 call 3c70240 call 3c78eb0 339->340 341 3c7a1ea 339->341 384 3c7a225-3c7a249 call 3c79160 * 2 340->384 385 3c7a24b 340->385 341->340 345 3c7a2f6 342->345 346 3c7a04f-3c7a05f 342->346 343->342 348 3c7a003-3c7a00e 343->348 349 3c7a4d6-3c7a4f1 344->349 350 3c7a4f3-3c7a545 344->350 345->327 346->345 351 3c7a065-3c7a076 346->351 353 3c7a014 348->353 354 3c7a09c-3c7a174 348->354 349->350 391 3c7a660-3c7a69f 350->391 392 3c7a54b-3c7a550 350->392 351->345 355 3c7a07c-3c7a08c 351->355 357 3c7a017-3c7a019 353->357 366 3c7a27c-3c7a28e 354->366 367 3c7a17a-3c7a17e 354->367 355->345 361 3c7a092-3c7a099 355->361 358 3c7a01f-3c7a02a 357->358 359 3c7a01b 357->359 358->345 365 3c7a030-3c7a03c 358->365 359->358 361->354 365->357 368 3c7a03e 365->368 366->345 371 3c7a290-3c7a2ad 366->371 367->366 373 3c7a184-3c7a193 367->373 368->354 371->345 375 3c7a2af-3c7a2cb 371->375 376 3c7a195 373->376 377 3c7a1d3-3c7a1d7 373->377 375->345 379 3c7a2cd-3c7a2eb 375->379 381 3c7a19b-3c7a19d 376->381 377->338 377->339 379->345 386 3c7a2ed 379->386 382 3c7a1a7-3c7a1c3 381->382 383 3c7a19f-3c7a1a3 381->383 382->345 389 3c7a1c9-3c7a1d1 382->389 383->382 384->385 385->316 386->345 389->377 389->381 406 3c7a6a1-3c7a6b9 391->406 407 3c7a6bb-3c7a6ca 391->407 395 3c7a55a-3c7a55d 392->395 397 3c7a563 395->397 398 3c7a628-3c7a650 395->398 400 3c7a5cc-3c7a5f8 397->400 401 3c7a59b-3c7a5c7 397->401 402 3c7a56a-3c7a596 397->402 403 3c7a5fa-3c7a626 397->403 405 3c7a656-3c7a65a 398->405 400->405 401->405 402->405 403->405 405->391 405->395 411 3c7a6d3-3c7a735 406->411 407->411 415 3c7a740-3c7a74e 411->415 415->283
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: DJgq$Debq$`fq$hbeq
                                                                                                • API String ID: 0-3754023294
                                                                                                • Opcode ID: bb29b439522f14e90ff7f53c72c0fa6c65ac5467e864c2202be02a03f8d2bef6
                                                                                                • Instruction ID: e364a6f5c625fa0947a9a5982fed35d5e7831f3575a74166d47e0c69dcf8fe16
                                                                                                • Opcode Fuzzy Hash: bb29b439522f14e90ff7f53c72c0fa6c65ac5467e864c2202be02a03f8d2bef6
                                                                                                • Instruction Fuzzy Hash: 0E521579A002149FDB55CF68C984E99BBB2FF48304F1581A8E909EB376CB31ED91DB41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DC0040 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 616 3dc0040-3dc0062 617 3dc0068-3dc00a3 616->617 618 3dc0412-3dc0417 616->618 627 3dc00a5-3dc00af 617->627 628 3dc00b6-3dc00d6 617->628 619 3dc0419-3dc041b 618->619 620 3dc0421-3dc0434 618->620 619->620 623 3dc043a-3dc0441 620->623 627->628 630 3dc00d8-3dc00e2 628->630 631 3dc00e9-3dc0109 628->631 630->631 633 3dc011c-3dc013c 631->633 634 3dc010b-3dc0115 631->634 636 3dc013e-3dc0148 633->636 637 3dc014f-3dc0158 633->637 634->633 636->637 639 3dc017c-3dc0185 637->639 640 3dc015a-3dc0175 637->640 643 3dc01a9-3dc01b2 639->643 644 3dc0187-3dc01a2 639->644 640->639 648 3dc01bd-3dc01d9 643->648 649 3dc01b4-3dc01b6 643->649 644->643 652 3dc01db-3dc01e1 648->652 653 3dc01f1-3dc01f5 648->653 649->648 656 3dc01e5-3dc01e7 652->656 657 3dc01e3 652->657 654 3dc020f-3dc0257 653->654 655 3dc01f7-3dc0208 653->655 662 3dc0259 654->662 663 3dc027b-3dc0282 654->663 655->654 656->653 657->653 666 3dc025c-3dc0262 662->666 664 3dc0299-3dc02a7 663->664 665 3dc0284-3dc0293 663->665 674 3dc02a9-3dc02ab 664->674 675 3dc02b1-3dc02b4 664->675 665->664 667 3dc0268-3dc026e 666->667 668 3dc0442-3dc0480 666->668 671 3dc0278-3dc0279 667->671 672 3dc0270-3dc0272 667->672 671->663 671->666 672->671 674->675 677 3dc02bc-3dc02db 675->677 680 3dc02dd-3dc02eb 677->680 681 3dc0308-3dc0324 677->681 680->681 684 3dc02ed-3dc0301 680->684 685 3dc0326-3dc0330 681->685 686 3dc0337-3dc035e 681->686 684->681 685->686 690 3dc0376-3dc037a 686->690 691 3dc0360-3dc0366 686->691 694 3dc037c-3dc038e 690->694 695 3dc0395-3dc03b1 690->695 692 3dc0368 691->692 693 3dc036a-3dc036c 691->693 692->690 693->690 694->695 698 3dc03c9-3dc03cd 695->698 699 3dc03b3-3dc03b9 695->699 698->623 700 3dc03cf-3dc03dd 698->700 701 3dc03bd-3dc03bf 699->701 702 3dc03bb 699->702 704 3dc03ef-3dc03f3 700->704 705 3dc03df-3dc03ed 700->705 701->698 702->698 707 3dc03f9-3dc0411 704->707 705->704 705->707
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452292197.0000000003DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dc0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: j38#
                                                                                                • API String ID: 0-3859439163
                                                                                                • Opcode ID: f256eb5c4b16ddaaec28680d14fe00cbc091b133da55310e586749dbcfe1db3f
                                                                                                • Instruction ID: 0b31d54b8c8f972016ddcf74a9b7e74264fba2cedf89f704f8f8368ec3c17db6
                                                                                                • Opcode Fuzzy Hash: f256eb5c4b16ddaaec28680d14fe00cbc091b133da55310e586749dbcfe1db3f
                                                                                                • Instruction Fuzzy Hash: 37D1C970B107418FDB29DB79C860BAEB7FABF89600F14856DD146DB2A0DB34E905CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3FEC Relevance: .9, Instructions: 931COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e98a0dadceeb7beb21706405908a4f72a1df3a079c726728f75c21495cabe455
                                                                                                • Instruction ID: 1ef60b03e56fb92822cc93200dfc0a462caeecd074792c93e6fb8e830d1796c7
                                                                                                • Opcode Fuzzy Hash: e98a0dadceeb7beb21706405908a4f72a1df3a079c726728f75c21495cabe455
                                                                                                • Instruction Fuzzy Hash: 63A2F631E002598FCB15DB68C8547EDB7B2FF99300F1482A9D94AA7351EB74AE85CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD5B42 Relevance: .8, Instructions: 767COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 64d0947a5bc66498187eae5210dbdbe874533317839539419d176675d76c553c
                                                                                                • Instruction ID: d301fb7a872462e2a009765e4e84f8430b586955f71b7287eda3dc064242cc53
                                                                                                • Opcode Fuzzy Hash: 64d0947a5bc66498187eae5210dbdbe874533317839539419d176675d76c553c
                                                                                                • Instruction Fuzzy Hash: 3972F631E002598FCB15DB68C8547EDB7B2FF99340F1482A9D94AA7351EB70AE85CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C7EB40 Relevance: 90.7, Strings: 72, Instructions: 688COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 3c7eb40-3c7f8b2 call 3c7eadc 260 3c7f8b7-3c7f8d1 call 3c7eadc 0->260
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq
                                                                                                • API String ID: 0-3200001112
                                                                                                • Opcode ID: 58dceb76a05596be21c08dc82a21af97a5b5d605a83b25e1d85320e6c57edbd7
                                                                                                • Instruction ID: 1d6fa6d1b94bae8b390664d75c0a6239e59f8776762ab5a21e5769feee9e375b
                                                                                                • Opcode Fuzzy Hash: 58dceb76a05596be21c08dc82a21af97a5b5d605a83b25e1d85320e6c57edbd7
                                                                                                • Instruction Fuzzy Hash: E4722B7490125A8FCB55EF64E994BADB7F2FB41304F5086ADC049AB368DF306D889F81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD07E0 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 516 3dd07e0-3dd08ca 519 3dd08d6-3dd08e2 516->519 538 3dd08e5 call 3dd12a0 519->538 539 3dd08e5 call 3dd1293 519->539 520 3dd08eb-3dd0904 524 3dd0966-3dd0a4b call 3dd0114 call 3dd0124 520->524 525 3dd0906-3dd095e 520->525 525->524 538->520 539->520
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $
                                                                                                • API String ID: 0-227171996
                                                                                                • Opcode ID: 80b3894c9b7732d231f041392432ee65c1ad4c58e1be17126a39daa274828a4c
                                                                                                • Instruction ID: 6463a3a03181d2efa6d9ac67da4a8b10bea0f8a99a3dfbfe7c15c406dd6ccd43
                                                                                                • Opcode Fuzzy Hash: 80b3894c9b7732d231f041392432ee65c1ad4c58e1be17126a39daa274828a4c
                                                                                                • Instruction Fuzzy Hash: B171B031910741CFDB01DF28D4C5A55BBF1FF96308B4586A9D849AB226EB71F9C9CB80
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD00E4 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 540 3dd00e4-3dd08e2 564 3dd08e5 call 3dd12a0 540->564 565 3dd08e5 call 3dd1293 540->565 546 3dd08eb-3dd0904 550 3dd0966-3dd0a4b call 3dd0114 call 3dd0124 546->550 551 3dd0906-3dd095e 546->551 551->550 564->546 565->546
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $
                                                                                                • API String ID: 0-227171996
                                                                                                • Opcode ID: bb3c9378c13957bb9cc189696bf0e2475ae03b8c09b44e8336a1ab5168277bf2
                                                                                                • Instruction ID: 3871e18118cd129afe15ed0ea198bf669b59beaea43860de529b98cace2aa4be
                                                                                                • Opcode Fuzzy Hash: bb3c9378c13957bb9cc189696bf0e2475ae03b8c09b44e8336a1ab5168277bf2
                                                                                                • Instruction Fuzzy Hash: CC619D35910701CFDB40EF28D8C4A55B7F1FF95318B4586A8D949AB226EB71F988CB80
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C74577 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 566 3c74577-3c7457a 567 3c7457b-3c74580 566->567 568 3c74581-3c74584 567->568 569 3c74586-3c7458a 568->569 570 3c74714 568->570 569->570 571 3c74607 569->571 572 3c747a7-3c747a9 569->572 573 3c74703-3c7470f 569->573 574 3c7476f-3c74782 569->574 575 3c7474f-3c74763 569->575 576 3c745a9-3c745d1 569->576 577 3c745d3-3c74602 569->577 578 3c746d3-3c746f7 569->578 579 3c74732-3c74746 569->579 580 3c747b2-3c747bc 569->580 581 3c74591-3c745a4 569->581 582 3c7469f-3c746ce 569->582 583 3c747be 569->583 586 3c74720-3c74722 570->586 592 3c74613-3c7469a 571->592 572->583 585 3c747ab-3c747b0 572->585 573->568 584 3c74784-3c74796 574->584 575->579 598 3c74765-3c7476a 575->598 576->567 577->568 578->570 608 3c746f9-3c746fe 578->608 579->573 597 3c74748-3c7474a 579->597 594 3c7479b-3c7479e 580->594 581->584 582->568 584->594 585->594 586->576 593 3c74728-3c7472d 586->593 592->568 593->568 594->583 600 3c747a0 594->600 597->568 598->568 600->572 600->580 600->583 608->568
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @Hbq$PQbq
                                                                                                • API String ID: 0-4233086775
                                                                                                • Opcode ID: 53597c69795dd4074675693bdc3bb5a4f0289705e43d4780abd976b98d4423cb
                                                                                                • Instruction ID: 4b4db25a61a874537bdda9d0567817d959177fb3e3ced5ab5a76b27c03d842cb
                                                                                                • Opcode Fuzzy Hash: 53597c69795dd4074675693bdc3bb5a4f0289705e43d4780abd976b98d4423cb
                                                                                                • Instruction Fuzzy Hash: A451AE78A48218CFDB68DB26D8187B97BF9BB45701F0005A9D90ADB385DF348E81CF81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDBB0C Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 709 3ddbb0c-3ddc784 716 3ddc786-3ddc78d 709->716 717 3ddc790-3ddc799 709->717 718 3ddc79f-3ddc7ae 717->718 719 3ddcab0-3ddcab4 717->719 722 3ddc7b7-3ddc7ba 718->722 723 3ddc7b0-3ddc7b5 718->723 720 3ddcaca-3ddcacc 719->720 721 3ddcab6-3ddcac1 719->721 725 3ddcace-3ddcad9 720->725 726 3ddcae2-3ddcaf5 720->726 721->720 724 3ddc7bd-3ddc7cb call 3ddbbf0 722->724 723->724 729 3ddc7d0-3ddc80b call 3ddbc00 724->729 725->726 728 3ddcb3b-3ddcb45 726->728 735 3ddcaa8-3ddcaad 729->735 736 3ddc811-3ddc818 729->736 735->719 737 3ddc81a-3ddc827 736->737 738 3ddc887-3ddc890 736->738 737->738 746 3ddc829-3ddc83f 737->746 739 3ddc896-3ddc898 738->739 740 3ddca02-3ddca0a 738->740 741 3ddc89e-3ddc8c9 739->741 742 3ddc937-3ddc94d 739->742 743 3ddca0c-3ddca11 740->743 744 3ddca58-3ddca60 740->744 771 3ddc8cb-3ddc8d1 741->771 772 3ddc8e1-3ddc917 741->772 742->740 756 3ddc953-3ddc977 742->756 743->744 748 3ddca13-3ddca24 743->748 744->735 747 3ddca62-3ddca6d 744->747 746->738 758 3ddc841-3ddc852 746->758 747->735 750 3ddca6f-3ddca71 747->750 748->744 757 3ddca26-3ddca39 748->757 754 3ddca8c-3ddcaa3 call 3ddbbd0 750->754 755 3ddca73-3ddca79 750->755 754->735 755->735 760 3ddca7b-3ddca8a 755->760 773 3ddc97d-3ddc981 756->773 774 3ddc979-3ddc97b 756->774 757->744 768 3ddca3b-3ddca52 call 3ddbc10 757->768 769 3ddc85c 758->769 770 3ddc854-3ddc85a 758->770 760->735 760->754 768->744 784 3ddcaf7-3ddcb34 768->784 776 3ddc85f-3ddc86c 769->776 770->776 777 3ddc8d5-3ddc8d7 771->777 778 3ddc8d3 771->778 800 3ddc92f 772->800 801 3ddc919-3ddc91f 772->801 779 3ddc987-3ddc989 773->779 774->779 789 3ddc86e-3ddc874 776->789 790 3ddc884 776->790 777->772 778->772 782 3ddc98b-3ddc991 779->782 783 3ddc9a1-3ddc9d0 779->783 787 3ddc995-3ddc997 782->787 788 3ddc993 782->788 803 3ddc9d6-3ddc9da 783->803 804 3ddc9d2-3ddc9d4 783->804 784->728 787->783 788->783 792 3ddc878-3ddc87a 789->792 793 3ddc876 789->793 790->738 792->790 793->790 800->742 805 3ddc921 801->805 806 3ddc923-3ddc925 801->806 808 3ddc9e0-3ddc9e2 803->808 804->808 805->800 806->800 809 3ddc9fa 808->809 810 3ddc9e4-3ddc9ea 808->810 809->740 812 3ddc9ec 810->812 813 3ddc9ee-3ddc9f0 810->813 812->809 813->809
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 8fq
                                                                                                • API String ID: 0-1868417641
                                                                                                • Opcode ID: a602e88a7a330a00d5991e416cd493673bfd11218a15b59bf853b698bdac7114
                                                                                                • Instruction ID: 1450c746e197e9adacc2bd8606b0257973a449e860efe61a6be8812f548da5bf
                                                                                                • Opcode Fuzzy Hash: a602e88a7a330a00d5991e416cd493673bfd11218a15b59bf853b698bdac7114
                                                                                                • Instruction Fuzzy Hash: A2D15735A102098FCB15DF68C490AAEBBF2BF88710F59C5A9D455EB364DB30EC05CBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DC98C8 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 814 3dc98c8-3dc9913 815 3dc991b-3dc991f 814->815 816 3dc9915-3dc9918 814->816 817 3dc9927-3dc995a MessageBoxW 815->817 818 3dc9921-3dc9924 815->818 816->815 819 3dc995c-3dc9962 817->819 820 3dc9963-3dc9977 817->820 818->817 819->820
                                                                                                APIs
                                                                                                • MessageBoxW.USER32(?,00000000,00000000,?), ref: 03DC994D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452292197.0000000003DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dc0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message
                                                                                                • String ID:
                                                                                                • API String ID: 2030045667-0
                                                                                                • Opcode ID: 7661c1b6270e1a2e99667b8ee83e38cd79f574f10d2430ccce9c55a322ce155c
                                                                                                • Instruction ID: a7df4d327f8330004c17d0a7c48568f43fea208fa426b304332b7057025ed3d1
                                                                                                • Opcode Fuzzy Hash: 7661c1b6270e1a2e99667b8ee83e38cd79f574f10d2430ccce9c55a322ce155c
                                                                                                • Instruction Fuzzy Hash: 8F21E2B69107899FCB11CF9AD884ADEFBF5FB49310F14855ED459A7200C374A944CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DC98D0 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 822 3dc98d0-3dc9913 823 3dc991b-3dc991f 822->823 824 3dc9915-3dc9918 822->824 825 3dc9927-3dc995a MessageBoxW 823->825 826 3dc9921-3dc9924 823->826 824->823 827 3dc995c-3dc9962 825->827 828 3dc9963-3dc9977 825->828 826->825 827->828
                                                                                                APIs
                                                                                                • MessageBoxW.USER32(?,00000000,00000000,?), ref: 03DC994D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452292197.0000000003DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dc0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message
                                                                                                • String ID:
                                                                                                • API String ID: 2030045667-0
                                                                                                • Opcode ID: e76d6ce3271a65b0c798e856821d899a450b9bae72caaf135a92196d22bee69e
                                                                                                • Instruction ID: 796ec9851eda0e91ed70d88fee77a3fd85cbb0f1195ed2bd6cd8fedab28a5981
                                                                                                • Opcode Fuzzy Hash: e76d6ce3271a65b0c798e856821d899a450b9bae72caaf135a92196d22bee69e
                                                                                                • Instruction Fuzzy Hash: 5221E0B681074A9FCB10CF9AD884ADEFBF5FB48710F14852ED859A7200C375A944CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD2AC8 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 830 3dd2ac8-3dd2adf 831 3dd2d3f-3dd2d45 830->831 832 3dd2ae5-3dd2af1 830->832 833 3dd2c1c-3dd2c1e 832->833 834 3dd2af7 832->834 835 3dd2c38-3dd2c43 833->835 836 3dd2c20-3dd2c26 833->836 834->833 837 3dd2b8d-3dd2ba2 834->837 838 3dd2afe-3dd2b13 834->838 850 3dd2c45-3dd2c61 call 3dd03b0 call 3dd03c0 835->850 851 3dd2c63-3dd2c70 835->851 839 3dd2c2c 836->839 840 3dd2c28-3dd2c2a 836->840 845 3dd2ba4-3dd2bbb 837->845 846 3dd2bc6-3dd2be9 837->846 848 3dd2b15-3dd2b2c 838->848 849 3dd2b37-3dd2b5a 838->849 841 3dd2c31-3dd2c36 call 3dd03a0 839->841 840->841 859 3dd2c78-3dd2c8d 841->859 845->846 853 3dd2bef-3dd2c17 call 3dd0390 846->853 854 3dd2cb3-3dd2cec 846->854 848->849 849->854 855 3dd2b60-3dd2b88 call 3dd0390 849->855 850->859 851->859 853->854 884 3dd2cf2 call 3dd2e18 854->884 885 3dd2cf2 call 3dd2e28 854->885 855->854 859->854 871 3dd2c8f-3dd2ca8 859->871 871->854 877 3dd2cf5-3dd2d1e 882 3dd2d29 877->882 883 3dd2d20 877->883 882->831 883->882 884->877 885->877
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: h:#
                                                                                                • API String ID: 0-4038647838
                                                                                                • Opcode ID: f4fa570f2290df2b44b724d387974e06aea9025b1db3505059622d7961018ea9
                                                                                                • Instruction ID: 48d86372e1f2d1490173bc688583193b7cc86536a07e0288b29de5fb44ff9e81
                                                                                                • Opcode Fuzzy Hash: f4fa570f2290df2b44b724d387974e06aea9025b1db3505059622d7961018ea9
                                                                                                • Instruction Fuzzy Hash: 5E712E34A10219CFCB05DBE8C984AEDB7F2FF85304F1985A5E405AF269DBB0AD45CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE418 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 886 3dde418-3dde436 888 3dde4a9-3dde4ce 886->888 889 3dde438-3dde443 886->889 893 3dde4d5-3dde500 888->893 892 3dde449-3dde45a 889->892 889->893 897 3dde45c-3dde465 call 3dde008 892->897 898 3dde4a4-3dde4a8 892->898 905 3dde507-3dde549 893->905 904 3dde46b-3dde479 897->904 897->905 904->898 909 3dde47b-3dde489 904->909 919 3dde57d-3dde584 call 3ddbddc 905->919 920 3dde54b-3dde561 905->920 909->898 912 3dde48b-3dde494 909->912 912->898 916 3dde496-3dde49d 912->916 916->898 928 3dde5a6-3dde5b2 call 3dde018 call 3dde028 919->928 929 3dde586-3dde591 call 3ddbddc 919->929 921 3dde595-3dde59e 920->921 922 3dde563-3dde575 920->922 921->928 924 3dde5ce-3dde5d1 922->924 925 3dde577-3dde579 922->925 925->924 927 3dde57b 925->927 927->919 936 3dde5b7-3dde5b9 928->936 929->921 936->924 937 3dde5bb-3dde5c8 call 3dde028 936->937 937->924
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: l:#
                                                                                                • API String ID: 0-1797890568
                                                                                                • Opcode ID: 0bd5292fb1203fea7701200e8d60163576b2e1fa9f9146f8f4a3808c1952e919
                                                                                                • Instruction ID: 87b1030eaa7d76bb84d82322cdf17eb7a5f17c43ed67b9386853b13e1f8e3fac
                                                                                                • Opcode Fuzzy Hash: 0bd5292fb1203fea7701200e8d60163576b2e1fa9f9146f8f4a3808c1952e919
                                                                                                • Instruction Fuzzy Hash: 4C4103397042544FCB2AEB3D942013E7BE79FC6B6071944EAC406CF3A5EE24DC0283A6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD05DF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 940 3dd05df-3dd062b 942 3dd0635-3dd067f call 3dd00e4 940->942 944 3dd0684-3dd069c call 3dd00f4 942->944 949 3dd069e-3dd06f0 944->949 950 3dd06f6-3dd06fd 944->950 949->950 951 3dd06ff-3dd0706 950->951 952 3dd0716 950->952 958 3dd0708-3dd0710 951->958 959 3dd0712 951->959 953 3dd0718-3dd071a 952->953 956 3dd071c-3dd0722 953->956 957 3dd0724 953->957 960 3dd072a-3dd0744 call 3dd0104 956->960 957->960 962 3dd0714 958->962 959->962 962->953
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @:#
                                                                                                • API String ID: 0-457664325
                                                                                                • Opcode ID: 8e467fab19ff9b6eded01aebc49f616bf19cc1c09c41306e8d1cf54d21236be9
                                                                                                • Instruction ID: 97834a83d3d67a4be6e5b55a5992c2a3b96506acdb5e55e0b141c69296505ff2
                                                                                                • Opcode Fuzzy Hash: 8e467fab19ff9b6eded01aebc49f616bf19cc1c09c41306e8d1cf54d21236be9
                                                                                                • Instruction Fuzzy Hash: AF31F275A003409BDB00DF78D884795BBB1FFD9214F0D86BADD49AF246EB31A498CB61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD0094 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 968 3dd0094-3dd069c call 3dd00e4 call 3dd00f4 978 3dd069e-3dd06f0 968->978 979 3dd06f6-3dd06fd 968->979 978->979 980 3dd06ff-3dd0706 979->980 981 3dd0716 979->981 987 3dd0708-3dd0710 980->987 988 3dd0712 980->988 982 3dd0718-3dd071a 981->982 985 3dd071c-3dd0722 982->985 986 3dd0724 982->986 989 3dd072a-3dd0744 call 3dd0104 985->989 986->989 991 3dd0714 987->991 988->991 991->982
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @:#
                                                                                                • API String ID: 0-457664325
                                                                                                • Opcode ID: 10143a10928c155c443e7484c604f68fd3cba3846eae34e323677b68cc7cf918
                                                                                                • Instruction ID: b0638750c8ad98487d2d2f6705d3291b93a32c9cbc89ef98a7e21cc584d71d54
                                                                                                • Opcode Fuzzy Hash: 10143a10928c155c443e7484c604f68fd3cba3846eae34e323677b68cc7cf918
                                                                                                • Instruction Fuzzy Hash: 7431C175A003009BDB04EF78D884B95B7A2FFD8214F09C679DD496F246EB71A898CB61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD2E18 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: :#
                                                                                                • API String ID: 0-3932560332
                                                                                                • Opcode ID: c22b57a592c0ada1869f4d32d34b838163219bd66a9897694ff2bdb8799a645e
                                                                                                • Instruction ID: aac3f940d394f6223cbe2578295a4d36ae89c08945808d195cf4888fe55ad68f
                                                                                                • Opcode Fuzzy Hash: c22b57a592c0ada1869f4d32d34b838163219bd66a9897694ff2bdb8799a645e
                                                                                                • Instruction Fuzzy Hash: 8DF02B31B042504FC3126B7890542567FEFDFD9B12B1888AAE4C9C7345C974CD01C7D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD2E28 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: :#
                                                                                                • API String ID: 0-3932560332
                                                                                                • Opcode ID: 8b0fc3cc729a90844e3ab1a73271682a5539d4a445ed7602ada46d36cd080507
                                                                                                • Instruction ID: 57e37aee3b1843f8d41d8cbaae59ae930b44436fb787e0ca0fa7c51989153ac1
                                                                                                • Opcode Fuzzy Hash: 8b0fc3cc729a90844e3ab1a73271682a5539d4a445ed7602ada46d36cd080507
                                                                                                • Instruction Fuzzy Hash: 20E0DF36B002244BC310B7A9A404196B7DFDBC8E62B08886AE89EC3704CE349D0087C0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDA280 Relevance: .5, Instructions: 472COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5f2e5d3c3bb8893c8b19db7ce5de67e432cd2c4a95ad3871210169fd5268bc7e
                                                                                                • Instruction ID: 88632307267b65eb382cf0ab5e639e1f1adc5047dc5802db453b0755fcb38a74
                                                                                                • Opcode Fuzzy Hash: 5f2e5d3c3bb8893c8b19db7ce5de67e432cd2c4a95ad3871210169fd5268bc7e
                                                                                                • Instruction Fuzzy Hash: 22E17F2574075147CB66EFBE98B022EBA96AFC0610348C87E958A9F35EDF78DC0847D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDA290 Relevance: .5, Instructions: 464COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5d33d94a49ab68443f9514fd999fb79c41935667a1fe5443e94e91664f0bc4e0
                                                                                                • Instruction ID: 1cb95d00731c71e1f1377612b534c1401a48f71b1e5400c1aaa9df38e2ecb5c5
                                                                                                • Opcode Fuzzy Hash: 5d33d94a49ab68443f9514fd999fb79c41935667a1fe5443e94e91664f0bc4e0
                                                                                                • Instruction Fuzzy Hash: ACE16E2574075147CB66EEBE98B022EBA96EFC0610348D87E958A9F35EDF78DC0847D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C70890 Relevance: .3, Instructions: 275COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ec50a5d08ec310cddf536353d850d4e9be43bec721eba9dce5bfa581cf65ee83
                                                                                                • Instruction ID: cad354d49b295cd278ec6b07c799ea36ce50d59713b553a388f4ce985e61c9c6
                                                                                                • Opcode Fuzzy Hash: ec50a5d08ec310cddf536353d850d4e9be43bec721eba9dce5bfa581cf65ee83
                                                                                                • Instruction Fuzzy Hash: 7BB10635750610CFD744DF29C598E29B7E2BF88618B2581A9E90ACB3B5DB31EC05CB81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDBE50 Relevance: .3, Instructions: 270COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 580fca9cdb0638cb5f46436a14ce739d33a697d1e8849559fc83635d3867a47f
                                                                                                • Instruction ID: de9d8e783d924fe1fad4b229bca9d3a3cd0d4fee38b2190cebe66dcfd787f448
                                                                                                • Opcode Fuzzy Hash: 580fca9cdb0638cb5f46436a14ce739d33a697d1e8849559fc83635d3867a47f
                                                                                                • Instruction Fuzzy Hash: 8FB18B70B206108FCB18DF68C4947AEB7E6BF88700F1885AED44AEB355DB74E945CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C70881 Relevance: .2, Instructions: 233COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5369a065f000648443a876076e666b073de2345774c210b1d7b1885f7330350d
                                                                                                • Instruction ID: 880111cd5113cbecdd17ceaee953c81faf558cb6cc60bc5141112ac0d27cd317
                                                                                                • Opcode Fuzzy Hash: 5369a065f000648443a876076e666b073de2345774c210b1d7b1885f7330350d
                                                                                                • Instruction Fuzzy Hash: 1E91E739750510CFC744DF29D588E2AB7E6BF88614B2684A9E90ACF375DB31EC05CB81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD74E8 Relevance: .2, Instructions: 217COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3fc504bdbddf50b7d942cff48a4c387d13ea7338cea94551d37d07def13e3851
                                                                                                • Instruction ID: 042fa5c9cf545cc3c6b9714f86d1738b8872e4d8f4f084555e251e060b2d9352
                                                                                                • Opcode Fuzzy Hash: 3fc504bdbddf50b7d942cff48a4c387d13ea7338cea94551d37d07def13e3851
                                                                                                • Instruction Fuzzy Hash: A0A1D775E00209CFCB44DFA8D9949ADBBF5FF49300F248669E815AB351EB30A945CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD74D8 Relevance: .2, Instructions: 213COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f1c9eba07c9b0221e148a94039494f2fd0896beaee8812974011f3bb98890fd1
                                                                                                • Instruction ID: 0427a2ab213e81c87f6b99bef3fc5b1fa92b96f86b2342f0077ddf634556ee8a
                                                                                                • Opcode Fuzzy Hash: f1c9eba07c9b0221e148a94039494f2fd0896beaee8812974011f3bb98890fd1
                                                                                                • Instruction Fuzzy Hash: CEA1D675A00209CFCB44DFA8C9849ADBBF6FF49300F24826AE815AB351E734A945CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3F4C Relevance: .2, Instructions: 208COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2558b052824f7db149d63bd43fb3342f1ee8b52d0977a1af2a6e0e30de0c8f01
                                                                                                • Instruction ID: 261f32ee2f3624b2e7fa6f0508ac084eed609d8ed8e837b9ae45859954c9f3c8
                                                                                                • Opcode Fuzzy Hash: 2558b052824f7db149d63bd43fb3342f1ee8b52d0977a1af2a6e0e30de0c8f01
                                                                                                • Instruction Fuzzy Hash: 1A91F935D00609DFCB15DFA9C890AD9F7B5FF48300F148699E949AB221EB30AE85CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDCDD2 Relevance: .2, Instructions: 180COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 48d929e8ba19c5091e367c42d39209a166f09b1b7bb9db2a1c83be55c311063d
                                                                                                • Instruction ID: 98e2186e72647fd29c1c30a7ffd7661e674ea1049325fa6eaff6accf2deb7919
                                                                                                • Opcode Fuzzy Hash: 48d929e8ba19c5091e367c42d39209a166f09b1b7bb9db2a1c83be55c311063d
                                                                                                • Instruction Fuzzy Hash: 19618C793001849FD799EB68D4A0BAB37F7EBC8301F118469D1068B384DE79DC06DB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDBE41 Relevance: .2, Instructions: 178COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d4ba0d38a6309e4943ffd52e55b376614a173edd03881c1ed929c9aee3043ba3
                                                                                                • Instruction ID: a18e05901b012734996eb89283c04fb198acc23708fb909227ae9a4c13c43473
                                                                                                • Opcode Fuzzy Hash: d4ba0d38a6309e4943ffd52e55b376614a173edd03881c1ed929c9aee3043ba3
                                                                                                • Instruction Fuzzy Hash: 8D61AF70A206148FCB14DF68C4907AEF7F6BF88301F0485AAD44AEB351DB74E985CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDCDE0 Relevance: .2, Instructions: 176COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1b9fc795cc1c10907be793b7fbc021e7da1c90c88951b7b916937be34def4be5
                                                                                                • Instruction ID: 18f4ab1acef250d77d9fee2e917873efcbdd008118556e0c8453f56da4b5c7fa
                                                                                                • Opcode Fuzzy Hash: 1b9fc795cc1c10907be793b7fbc021e7da1c90c88951b7b916937be34def4be5
                                                                                                • Instruction Fuzzy Hash: 2C618C793001849FD799EB68D4A0BAB37E7EBC8301F11C429D50A8B784DE79DC069B92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD7B77 Relevance: .2, Instructions: 154COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 63f125ff668d869cbe260dbc01c2c110bbf9c479117bbc9959d8c15dabdb3f7b
                                                                                                • Instruction ID: 62c4f109cb04ef0dcd441f983299aba4892b590923468f978f98e73d62d05080
                                                                                                • Opcode Fuzzy Hash: 63f125ff668d869cbe260dbc01c2c110bbf9c479117bbc9959d8c15dabdb3f7b
                                                                                                • Instruction Fuzzy Hash: E951E734A106158FCB04DF68C8949ADBBB6FF89700B1586A9E506AB372EB70ED45CB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDBAFC Relevance: .1, Instructions: 147COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 72f5880938c3f7818ab2afa156ffb4db3bb283b8c510ab7d22fbc3a79503d41c
                                                                                                • Instruction ID: b68c3a44ae43b415c5d0fa9560560d2483303a11bd3faa267d6f2712d9044ed6
                                                                                                • Opcode Fuzzy Hash: 72f5880938c3f7818ab2afa156ffb4db3bb283b8c510ab7d22fbc3a79503d41c
                                                                                                • Instruction Fuzzy Hash: BC41F335B102049FCB15EB7988107AEBBE6EFC5314F1489AAD049DB3A5DF35AC06C792
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD6DD1 Relevance: .1, Instructions: 145COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 15b799cdd45a09c98a5cc829ca4024490d0baa65e50ea8ee4dc34e1e4266f7a3
                                                                                                • Instruction ID: 137fad169635dabf1f89568931c6e41f608a4006c97f525aac8f485cfb0cb6a0
                                                                                                • Opcode Fuzzy Hash: 15b799cdd45a09c98a5cc829ca4024490d0baa65e50ea8ee4dc34e1e4266f7a3
                                                                                                • Instruction Fuzzy Hash: 7F510731910709DFCB10EF68C844999FBB5FF89310F11C699E5596B221EB30AA89CF80
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD7B88 Relevance: .1, Instructions: 143COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8a4f722d92339f5959806d19d1325bd970379058f07a026ed9b25fd3f87fe21e
                                                                                                • Instruction ID: 491891692d72f6da63da4c358b573fb119b6d4de3db50ecf13d09cc464ca5f4d
                                                                                                • Opcode Fuzzy Hash: 8a4f722d92339f5959806d19d1325bd970379058f07a026ed9b25fd3f87fe21e
                                                                                                • Instruction Fuzzy Hash: C551D534A10614CFCB04EF68C894DADB7B6FF89700B1585A9E506AB371EB71ED45CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD6DE0 Relevance: .1, Instructions: 140COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 487928c9deb01c48ffeecc88541893180d8d4b2d8c113d7e6268f85579478ec2
                                                                                                • Instruction ID: 26bf4c694baae136e0b48f25f78bf4fb7142aa4dc1ebf27947f66d6d5d7916b0
                                                                                                • Opcode Fuzzy Hash: 487928c9deb01c48ffeecc88541893180d8d4b2d8c113d7e6268f85579478ec2
                                                                                                • Instruction Fuzzy Hash: 3351F831910B19DFCB14EF68C844999F7B5FF89310F11C699E5596B221EB30EA88CF81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE018 Relevance: .1, Instructions: 128COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3121cb10131d5642322dc6d303074655343349c3fbf32af3de98c7bdd3e7fde8
                                                                                                • Instruction ID: a50ad4992f5759c42de619ddf321273a38524c62c91ec67b2127a0264c30d78d
                                                                                                • Opcode Fuzzy Hash: 3121cb10131d5642322dc6d303074655343349c3fbf32af3de98c7bdd3e7fde8
                                                                                                • Instruction Fuzzy Hash: 23417C347506048FDB54DF69C484A6EB7F6FF89710B24856DD4469B768DB70EC028BA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD1748 Relevance: .1, Instructions: 127COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 44753e297dd5336c0ded08710279d3c92cfb311d18d76d31d3643a5276864c19
                                                                                                • Instruction ID: ef6488545a60c2b3a821ed4865cffc3ce30852616b220fa81ade058aa3105e4c
                                                                                                • Opcode Fuzzy Hash: 44753e297dd5336c0ded08710279d3c92cfb311d18d76d31d3643a5276864c19
                                                                                                • Instruction Fuzzy Hash: 0241B431A016499FCF00EFB8C8549EEBBF5FF89300F1585A9E405AB221DB34E949CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD7358 Relevance: .1, Instructions: 126COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c97fd7b21ea5321b9a80506c77e9318cf6711e3b275da655dfd0dfe60eb623de
                                                                                                • Instruction ID: 65acdcdb9f06099147df2451f134e35d142caa3a1e3cee3a22f3857a21bed2ed
                                                                                                • Opcode Fuzzy Hash: c97fd7b21ea5321b9a80506c77e9318cf6711e3b275da655dfd0dfe60eb623de
                                                                                                • Instruction Fuzzy Hash: 6541BE34A006158FCB01EBBCC454AAEBBF6EF86300F1545AAD009DB362EB70DD85C791
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE5D8 Relevance: .1, Instructions: 125COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c4013f378e0ca35bf474a75b8de9cafaa99bd608c05adc2c61e71c7044b7c61e
                                                                                                • Instruction ID: 118b8b0dda2c424c02bf47dd9cba1012afbc24871bc708133967cef6877a20aa
                                                                                                • Opcode Fuzzy Hash: c4013f378e0ca35bf474a75b8de9cafaa99bd608c05adc2c61e71c7044b7c61e
                                                                                                • Instruction Fuzzy Hash: 32418E347502048FDB55DF29C450A6FBBF6FF89700B2485AED0869B768CB70AC06CBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD12A0 Relevance: .1, Instructions: 124COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 36774dce72ee381f4a0f34d9b423ad01ee905e3bd926a7bf81a5c42107244c06
                                                                                                • Instruction ID: e8e89eec4cab0cf4b64ee33500cfbd6e2a57063ce87b36cc350281642466766d
                                                                                                • Opcode Fuzzy Hash: 36774dce72ee381f4a0f34d9b423ad01ee905e3bd926a7bf81a5c42107244c06
                                                                                                • Instruction Fuzzy Hash: 7B416835E00219CFCB91DBB8E944AEDBBF5FF48610F184169D401E7761DB309945CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD0448 Relevance: .1, Instructions: 124COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f29b1ecdbd72ddc150ae9823386a69c8b84aaa6f86ed075598d69ee6bd4420da
                                                                                                • Instruction ID: 214528830b5eb2b2554a9002a6a21dbf84550f2726edf7d7c43af166c797ebad
                                                                                                • Opcode Fuzzy Hash: f29b1ecdbd72ddc150ae9823386a69c8b84aaa6f86ed075598d69ee6bd4420da
                                                                                                • Instruction Fuzzy Hash: D541D3396043559FC719EB34D450ABEB7E7EFC6310F0884AED0599B2A1CF359846CBA2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD5220 Relevance: .1, Instructions: 123COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 83ceadffcb874352126326b0abe933c5d51cb6688cb5720fe48dfba4ffd1df80
                                                                                                • Instruction ID: 0ec71b0e2ddb5091621687c275b480a08cd16d496525f4580e7507f9f7d91469
                                                                                                • Opcode Fuzzy Hash: 83ceadffcb874352126326b0abe933c5d51cb6688cb5720fe48dfba4ffd1df80
                                                                                                • Instruction Fuzzy Hash: 7C513A35A01209EFDB10DF94E590BEEBBB2FF49710F248069E905AB751C771AD01CB61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD4C78 Relevance: .1, Instructions: 107COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 023b82e4ec861c05539b71fabd8fcc88ac4da5283925f3f78fe40b57c96fbe65
                                                                                                • Instruction ID: 438f82392f1cfc46e86521914cae77a0eeaeb00d6e86df45c635df9ce907ff78
                                                                                                • Opcode Fuzzy Hash: 023b82e4ec861c05539b71fabd8fcc88ac4da5283925f3f78fe40b57c96fbe65
                                                                                                • Instruction Fuzzy Hash: 9D414935A00219DFCF15DFA9C890AD9F7B5FF49300F1582AAD949AB255DF30AE84CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3F45 Relevance: .1, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dd6249a526a02bfe840d10e7aee8938856e749ed7ee0098bd1fb12374a196ee2
                                                                                                • Instruction ID: e263f955dfa94801af79a0f7b4a5cfd5f439bca8a76739ad58156efaaf7b1e7e
                                                                                                • Opcode Fuzzy Hash: dd6249a526a02bfe840d10e7aee8938856e749ed7ee0098bd1fb12374a196ee2
                                                                                                • Instruction Fuzzy Hash: BD417F35A00219DFCB10DFA9C890AD9F7B5FF49300F1582AAD949AB215DF70AE84CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD1A59 Relevance: .1, Instructions: 99COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6646cc522fdf739bbae5642b4c568323ea562db56177ecea3e8b652fc985cc1c
                                                                                                • Instruction ID: 04c2f0d794318c80e01ab2ac44831abd98806dae1e1ccef980135d053dc68d33
                                                                                                • Opcode Fuzzy Hash: 6646cc522fdf739bbae5642b4c568323ea562db56177ecea3e8b652fc985cc1c
                                                                                                • Instruction Fuzzy Hash: 4F41E775A0020ADFCB44DF69D88099AFBB5FF89310B15C699E918AB311E770E985CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD27F Relevance: .1, Instructions: 92COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: eefa00069621f7f213a3fb2aed273daebf1f9d53dd795a4178f8001ee762ffe7
                                                                                                • Instruction ID: 4e6f47ae345641458b0ec1f9d4982dd4a148294fa9fbf74be17f76cee367247b
                                                                                                • Opcode Fuzzy Hash: eefa00069621f7f213a3fb2aed273daebf1f9d53dd795a4178f8001ee762ffe7
                                                                                                • Instruction Fuzzy Hash: E5419F36900740CFCB01DF68C884A95B7B2FF85314F1986BADC496F366DB71A884CBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD1A68 Relevance: .1, Instructions: 92COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0561bb36b1718a58f3607b109ec720e2a6870c11e6922a9a3cb7fed3a3edea5d
                                                                                                • Instruction ID: 9b0d33b2e51471b6fc99920dcdaff0c948fc3733b6dbcee333de468e93658cf1
                                                                                                • Opcode Fuzzy Hash: 0561bb36b1718a58f3607b109ec720e2a6870c11e6922a9a3cb7fed3a3edea5d
                                                                                                • Instruction Fuzzy Hash: 3241C775A0020ADFCB44DF69D88099EFBB5FF89310B15C699E918AB315E730E985CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDBD04 Relevance: .1, Instructions: 89COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f0816480052112c0a9380d7920b2b4e2b9b1c5d8445fef6412809d9619525114
                                                                                                • Instruction ID: 2e389b00b12e4b4d7e353770d134687ca4eda1d59c236c1717b0f5dddc124d85
                                                                                                • Opcode Fuzzy Hash: f0816480052112c0a9380d7920b2b4e2b9b1c5d8445fef6412809d9619525114
                                                                                                • Instruction Fuzzy Hash: 36317E36900741CBDB00DF68C884A95B7B2FF85314F19C67ADC096F366DB71A984CBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8198 Relevance: .1, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 049d98a85a1becd5bf3ebb187612831b8ac322a3160e6e716e05c319b89b0ee9
                                                                                                • Instruction ID: a4d7bb43b1a3818665fc4692ede43b705218f700d3a46401b593aac4edf7f74a
                                                                                                • Opcode Fuzzy Hash: 049d98a85a1becd5bf3ebb187612831b8ac322a3160e6e716e05c319b89b0ee9
                                                                                                • Instruction Fuzzy Hash: E921BC347006918FCF06EB78C8642AD7BF6EF8A600B1401BEE14ACB360DF319A42CB51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE830 Relevance: .1, Instructions: 82COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d24b9bfe8baccb9c669ca222522490c344d3f74d52334b64fe5ea7d927ffdfe3
                                                                                                • Instruction ID: c97f035dd8a2a7bbc9d4d6b043b6d35e0e94dcb96dffca07728fff8cc4d4dc09
                                                                                                • Opcode Fuzzy Hash: d24b9bfe8baccb9c669ca222522490c344d3f74d52334b64fe5ea7d927ffdfe3
                                                                                                • Instruction Fuzzy Hash: 2E3137357006119FC728EF39D444A2AB7E6FF89A15B9441ADE04ACF7A1DB31EC45CBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE7F8 Relevance: .1, Instructions: 80COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0778580c2d51c489962eb04b95d7ee71681427c29e3a9d91e7ce525dcce059cb
                                                                                                • Instruction ID: 6d59d47d9d2adbb060ccaf550d777f996a628d4a98e8a814a59a5088e3214854
                                                                                                • Opcode Fuzzy Hash: 0778580c2d51c489962eb04b95d7ee71681427c29e3a9d91e7ce525dcce059cb
                                                                                                • Instruction Fuzzy Hash: 63213035700601CFC718EF68E494A69B7E2FF89A15B5841ADE04ACF3A1DB32EC05CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD9411 Relevance: .1, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a8f0542468e368ebca4f94d37be587b29d04e98639b6482e754bcde4d9cd1b36
                                                                                                • Instruction ID: 0f5ded14ac3592e5fd1d7343cc8149521c357e80638721e8631e6746759e8d94
                                                                                                • Opcode Fuzzy Hash: a8f0542468e368ebca4f94d37be587b29d04e98639b6482e754bcde4d9cd1b36
                                                                                                • Instruction Fuzzy Hash: 59316B34A006158FCB01EF68C494AAEBBF6EF89310F14419AE449DB365DB70DD45CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD00A4 Relevance: .1, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: aa547ef40741fdff65da8af06ac301a815816981c4f59c950f3a4e6293027730
                                                                                                • Instruction ID: 80cfa45a04afff9b5ee8fa611e288ad7876b93a84bd5f933e87527f0fd52d30f
                                                                                                • Opcode Fuzzy Hash: aa547ef40741fdff65da8af06ac301a815816981c4f59c950f3a4e6293027730
                                                                                                • Instruction Fuzzy Hash: F521AA32A011209FC765DB25D5017BEBBA6EFC5B00B1844AAD809D7756CB38DC028792
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BCD5E8 Relevance: .1, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449466136.0000000003BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BCD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bcd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 285f4788ad9a475e9bc784f82e7ae73ccefd1245a886d256579e2f97141311b3
                                                                                                • Instruction ID: 08c32772c591d3af825805695f5d68ab390341c63bd92edd233a31f07b5916d5
                                                                                                • Opcode Fuzzy Hash: 285f4788ad9a475e9bc784f82e7ae73ccefd1245a886d256579e2f97141311b3
                                                                                                • Instruction Fuzzy Hash: D22133B9500280DFCB21EF14D9C0B26BFA5FB98318F2485FDD80D0B21AC336D856CAA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE81F Relevance: .1, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7446336db5b06dcf8fa00b8c2d9ed0cce80c9407989f65e2afe469c75756f0ec
                                                                                                • Instruction ID: 84da273acf55612762ec88c419ef9ae9b67b8e03bfd03d6a714590325382a360
                                                                                                • Opcode Fuzzy Hash: 7446336db5b06dcf8fa00b8c2d9ed0cce80c9407989f65e2afe469c75756f0ec
                                                                                                • Instruction Fuzzy Hash: 4D2166313002059FC729EF69D484A6AB7E6FF89614B9445AED04ACF7A1CB31EC04CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C70AC8 Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: acbff4cf914822a595f1d71b53ed306dc669213cbe76b50b097b7072a2c9c43d
                                                                                                • Instruction ID: 85cad2bec64a06715fffe00325cd40ff80d3f558d6cde41f9d8829c5cbe9a7f9
                                                                                                • Opcode Fuzzy Hash: acbff4cf914822a595f1d71b53ed306dc669213cbe76b50b097b7072a2c9c43d
                                                                                                • Instruction Fuzzy Hash: BB21F4357406109FD754DB29D958F2AB7A2FF88B18F2584A9E50ACF3B5DA71EC018B80
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BDD01C Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449699153.0000000003BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BDD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bdd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 036a38d9ac182790c52e13e8233d058d197cdcbba8c50f88a23afccb4cfb8c37
                                                                                                • Instruction ID: 701bbef78c9704c2c2e5e8e6e97ca00648f0bb16819b6cb4bd2377ab90dfe6e5
                                                                                                • Opcode Fuzzy Hash: 036a38d9ac182790c52e13e8233d058d197cdcbba8c50f88a23afccb4cfb8c37
                                                                                                • Instruction Fuzzy Hash: BE212571504200DFCB14DF24E994B16BBA5EFC8318F24C5FDD8894B256D336D847CA61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BDD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449699153.0000000003BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BDD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bdd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e9f7ce70c37194904e78b1d5cfced4660e3cc82182a8bb616eedbaa7ac9c3139
                                                                                                • Instruction ID: 50d02b39dcfacb2878934d3795955e7e31784b6e7c579e697cadb7f1f96e25d8
                                                                                                • Opcode Fuzzy Hash: e9f7ce70c37194904e78b1d5cfced4660e3cc82182a8bb616eedbaa7ac9c3139
                                                                                                • Instruction Fuzzy Hash: 662104B1A44200EFDB05DF14D9C0B26BBA5FF88318F24C6FDD9894B256D376D846CA61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD6A2 Relevance: .1, Instructions: 70COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3563d2ace1f0e07a20a4625d9033c63aaa066215930b16e7e3ad870e3af44197
                                                                                                • Instruction ID: 6ed4b0bc7310fda9f0c978744d58df9bcfc6e17adeb5c4e1fa2f8354e9b69d96
                                                                                                • Opcode Fuzzy Hash: 3563d2ace1f0e07a20a4625d9033c63aaa066215930b16e7e3ad870e3af44197
                                                                                                • Instruction Fuzzy Hash: 2121D430600649AFCF11DBB8C454AAEBBF6AF85340F1446AAD4869B265EE70E845CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD81A8 Relevance: .1, Instructions: 69COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 55d5af6177001d5968b86c1397297f5701adcfd2d6797f9e968cd310048fdc85
                                                                                                • Instruction ID: d432a97ce428cf2949d3e2d7f323b9a57aac00e988031e6d756f37d2491068f0
                                                                                                • Opcode Fuzzy Hash: 55d5af6177001d5968b86c1397297f5701adcfd2d6797f9e968cd310048fdc85
                                                                                                • Instruction Fuzzy Hash: 2C11F6383106518FCB19EB78D41466D37EBEFCAA51B5440BDE10ACF3A0CE368A428B51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDC6C0 Relevance: .1, Instructions: 69COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1ea7c5f3334a07bdd6297de365cbc1db44266b5a72189224a89c028890e49df2
                                                                                                • Instruction ID: fd61869db36c2d8b89e9827f781dc09dee817f47e611ce50d2a87c235d2959f9
                                                                                                • Opcode Fuzzy Hash: 1ea7c5f3334a07bdd6297de365cbc1db44266b5a72189224a89c028890e49df2
                                                                                                • Instruction Fuzzy Hash: 2F1104213182A01FCF12237858205BE7FE69FC7300B5944EAD185CF262CE665C07C7A2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3FAC Relevance: .1, Instructions: 69COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 21cdb342f438a5a4a8914089faffa725167cf574962d855ef2f869f8900659d8
                                                                                                • Instruction ID: 0d9a0233ecaab6564fd2028b96a86ccfc1bb2a97fc841db198ca4c9ab1516f5a
                                                                                                • Opcode Fuzzy Hash: 21cdb342f438a5a4a8914089faffa725167cf574962d855ef2f869f8900659d8
                                                                                                • Instruction Fuzzy Hash: 4311A93934031A87DA29A27D655027E73CBDBC4A52F08443EE606CF394DE31DC1693B6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD0509 Relevance: .1, Instructions: 66COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7223188f0906a28398e56e38876086f0a1418b7b23d2da252c1874fc352f3a5b
                                                                                                • Instruction ID: 6eb6a0a8d58fc82840d82c7eb8c321707dcfea85263df6c1a2f0a0f74a54b9a2
                                                                                                • Opcode Fuzzy Hash: 7223188f0906a28398e56e38876086f0a1418b7b23d2da252c1874fc352f3a5b
                                                                                                • Instruction Fuzzy Hash: 4721B034504784CFCB65EB34C444AAABBF6EFC6210F0484AEC0894F265CB31A88ACB52
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDEAE8 Relevance: .1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 51456403ab257a601672490f95a4db29830bc7b2187b91e93b79b46dca6dae68
                                                                                                • Instruction ID: c6c5520c590c9f0c68672a656d5dd68894af8ad42d711edd5dc2a4ee7a92d02f
                                                                                                • Opcode Fuzzy Hash: 51456403ab257a601672490f95a4db29830bc7b2187b91e93b79b46dca6dae68
                                                                                                • Instruction Fuzzy Hash: 82115B397046504B8F1AFB3AA410AAE77EADFC5A20B14406DD40ACF3A1DF35990287A9
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD6B0 Relevance: .1, Instructions: 61COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1db329aac4d2bf1fa8ad66fa0e5de6de6cc6ff3c76a168b9e7181351a72b2621
                                                                                                • Instruction ID: 0c25de1149a97f48bb13ae7cd82403da717e6e4b776b1f4d7460382b5332732e
                                                                                                • Opcode Fuzzy Hash: 1db329aac4d2bf1fa8ad66fa0e5de6de6cc6ff3c76a168b9e7181351a72b2621
                                                                                                • Instruction Fuzzy Hash: B9118435A00609AFCF14DA78C4449AEB7B6EF84750F1486A9D8469B264EF70E945CBD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE9A7 Relevance: .1, Instructions: 61COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4ec1a64a2a62f9b543166e77b0d30103f47463a8e7c1dbfddf70902297d452f0
                                                                                                • Instruction ID: b98f79668913116f6e34ffc07caf673ea9e9add17ea7f5251ecee9722c6e043b
                                                                                                • Opcode Fuzzy Hash: 4ec1a64a2a62f9b543166e77b0d30103f47463a8e7c1dbfddf70902297d452f0
                                                                                                • Instruction Fuzzy Hash: 6C11B2356006148FCB65DF68C444AAEBBF6FF85700F1886EAD085CF265D730D94ACB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BDD005 Relevance: .1, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449699153.0000000003BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BDD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bdd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: cbfb057de7e128cd931e16e5903196037f20bf031c8212e0b971a91f50bc034d
                                                                                                • Instruction ID: 50ba4077fedd0f3325f962cf2e5bd3cb07dc8405c85e34d90b8c65ac0570c228
                                                                                                • Opcode Fuzzy Hash: cbfb057de7e128cd931e16e5903196037f20bf031c8212e0b971a91f50bc034d
                                                                                                • Instruction Fuzzy Hash: 7421A4755093C08FCB12CF24D9A4715BF71EF85214F28C5EED8898B697C33A980ACB62
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD1737 Relevance: .1, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f492cbf6a054b2f7e2b507b53f5daa8b8438c14ddb5c2d6345d360a27c0fb4d2
                                                                                                • Instruction ID: 2742b447ea19ee9063f4ddba991a4118fc1823f49e75fb5f0533057300a3764d
                                                                                                • Opcode Fuzzy Hash: f492cbf6a054b2f7e2b507b53f5daa8b8438c14ddb5c2d6345d360a27c0fb4d2
                                                                                                • Instruction Fuzzy Hash: 3111E371A01145EFDB54EF65C440AABB7FAFF89304B2981A9E405AB315CA35EC06CBE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD703F Relevance: .1, Instructions: 59COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a9c98caa67685cfcebf9427fcbb6ab130b15e38a4bfac6002451773b11fcdf68
                                                                                                • Instruction ID: 78f0446ae9290d5dd26072402dae892d5eec3b3a1440f9b0c756e5b46020d178
                                                                                                • Opcode Fuzzy Hash: a9c98caa67685cfcebf9427fcbb6ab130b15e38a4bfac6002451773b11fcdf68
                                                                                                • Instruction Fuzzy Hash: 36117271A0011AAFCF01DFA4C8909EFBBB6FB84300F148559E954A7240D731AE55CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD7D81 Relevance: .1, Instructions: 59COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 979469d5a860855949d50271ad53ae47df87833e1bc17ea5a9dd3c9d9caac40a
                                                                                                • Instruction ID: b745708aaef40a7e081af0968cf68ed4cd3962c369fa3d30f5ba5109ea85c59b
                                                                                                • Opcode Fuzzy Hash: 979469d5a860855949d50271ad53ae47df87833e1bc17ea5a9dd3c9d9caac40a
                                                                                                • Instruction Fuzzy Hash: DA1108319043818FCB12EB78CCA08EEFFB5EFC6310B1492D6D4909B296DB305945CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDEADA Relevance: .1, Instructions: 58COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 762dbf8e2fe80654d36ea11999c0c77a1a52d1ff188dedee4079d95afa183183
                                                                                                • Instruction ID: 7d9253ff3202e8cbdedebc7814e37a9c80a5d2d9b8bd6660a4db228e337b8f6e
                                                                                                • Opcode Fuzzy Hash: 762dbf8e2fe80654d36ea11999c0c77a1a52d1ff188dedee4079d95afa183183
                                                                                                • Instruction Fuzzy Hash: 1F11C8357052905FCB16EB699450A7E7BB6DFC6A10B09019DD406CF3A2DF209C02C7A5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD0428 Relevance: .1, Instructions: 57COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 442e73a14fd5015c7c20e3220eb30fdc4b1938df62d9790f13c60bf6f83b8669
                                                                                                • Instruction ID: 5f4e841563127cf49da30e0ac99a9971573c90500b78589802257348356b741c
                                                                                                • Opcode Fuzzy Hash: 442e73a14fd5015c7c20e3220eb30fdc4b1938df62d9790f13c60bf6f83b8669
                                                                                                • Instruction Fuzzy Hash: 0701043A61E3E05FC71AAB3594645FDBFA6DFC3215B0940EFD4849B292CA640806C7E2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BCD5E3 Relevance: .1, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449466136.0000000003BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BCD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bcd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: acc6a4637e12b9416a6d87efe46b896c9c8541588fc5e3e17df4a018614a167a
                                                                                                • Instruction ID: 9c1fd32f1d0fa5e4bed0f586bb2a66751a29334f1dd5c11408ef3451b2a9231b
                                                                                                • Opcode Fuzzy Hash: acc6a4637e12b9416a6d87efe46b896c9c8541588fc5e3e17df4a018614a167a
                                                                                                • Instruction Fuzzy Hash: 6911AF76504280DFCB16DF14D9C4B16BF61FB84318F2886FDD9490B256C336D45ACBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8EA9 Relevance: .1, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c11b9876ea819496611fb234988bb0734640fe291dbf8138b6255ec385c8086e
                                                                                                • Instruction ID: c330d25533c5137505e69886ccf5b252be26b2bd3d4d327d46f7c8403e9e41ba
                                                                                                • Opcode Fuzzy Hash: c11b9876ea819496611fb234988bb0734640fe291dbf8138b6255ec385c8086e
                                                                                                • Instruction Fuzzy Hash: 6C118B349003599FCB01DBA8C8807BFBBF6FF85310F004959D868A72A1D7389945CBA2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8CB8 Relevance: .1, Instructions: 54COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e3446668d2a19e0475dd9a9ac61791906a0012f65626df41680b6f72625d1cc8
                                                                                                • Instruction ID: 7f84c10f01e0cc33011b72c19dd27a9edde1119995ad95893da05dc30c7c79e9
                                                                                                • Opcode Fuzzy Hash: e3446668d2a19e0475dd9a9ac61791906a0012f65626df41680b6f72625d1cc8
                                                                                                • Instruction Fuzzy Hash: C901F7167493F01BCB16A2BD18346EB7FDF8B87650F1440EAD589CB786C9155C0183B7
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BDD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449699153.0000000003BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BDD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bdd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7e1844c01e49ba37510489a09daf310f6a1e61edf0031891d74a4c1612b3435f
                                                                                                • Instruction ID: a97e0281cb1be3578d7009faa5948a26261e55ab90b3777034ccadd953639290
                                                                                                • Opcode Fuzzy Hash: 7e1844c01e49ba37510489a09daf310f6a1e61edf0031891d74a4c1612b3435f
                                                                                                • Instruction Fuzzy Hash: 1C117975904280DFDB16CF14D9C4B15BBA1FB84218F28C6EDD8894B656D33AD84ACB61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD7050 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7545d17ab24f96f6c19f997539155ffbfffb371437fbe2a1415dd3b3828fd8ed
                                                                                                • Instruction ID: b5944a1aba12d3365e15442f2e5af56dd21a2ddb7ea3d24dc1adf0d52f91d17b
                                                                                                • Opcode Fuzzy Hash: 7545d17ab24f96f6c19f997539155ffbfffb371437fbe2a1415dd3b3828fd8ed
                                                                                                • Instruction Fuzzy Hash: E7111871A0011AAFDB04DF94C9808FFBBBAFB88710F108518FA14A7240E771AE55CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C78660 Relevance: .1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 419c138d1326792ed2086d1504920d938571aafde6cfc260e8338b5bc242e567
                                                                                                • Instruction ID: ca1ae21670210e43a23fd2d51d4e55b94cf6a1e26fde2ff7416d2d998de79d5d
                                                                                                • Opcode Fuzzy Hash: 419c138d1326792ed2086d1504920d938571aafde6cfc260e8338b5bc242e567
                                                                                                • Instruction Fuzzy Hash: 5601DE367003485FCB58EA79D849B3B7B9BABC8260B18C0399909CB359CE309C0687A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD6CBF Relevance: .1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ad0b48a7b6be5533ca8b96f626424e849e5fe845c276aa1f87b2736691c836bc
                                                                                                • Instruction ID: d8fc8590bea7428e18ddd22bf624bcd264ecd1fa51a399e4d5dc6b4e4c3a4f93
                                                                                                • Opcode Fuzzy Hash: ad0b48a7b6be5533ca8b96f626424e849e5fe845c276aa1f87b2736691c836bc
                                                                                                • Instruction Fuzzy Hash: 331108356093945FCB02EB7498908EFBFF5EF86100B1446EAD444AB202D730EA09C7A2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD1458 Relevance: .1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5bd7d4b9e407ba2985f1e0318b1631adc4b2c6f9b1130923f05db5b9d954b57a
                                                                                                • Instruction ID: de52c5bb16f614feb3354b6fa09a7a2fdaebbb2f9f46fc40535d8aa01a8f55e0
                                                                                                • Opcode Fuzzy Hash: 5bd7d4b9e407ba2985f1e0318b1631adc4b2c6f9b1130923f05db5b9d954b57a
                                                                                                • Instruction Fuzzy Hash: B711A535A00209DFC724EBA9D514BDEB7F6EF88304F108469D506A7394CB79AD05CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE9B8 Relevance: .1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 39e4b1e32596dab31ea6d3a3cc595a2e9db7027ee3871534a6f7f14d1ce23692
                                                                                                • Instruction ID: a984e7aa05dfa1c1e2f923451819d7864ec67b4de271003597eb25df266cd421
                                                                                                • Opcode Fuzzy Hash: 39e4b1e32596dab31ea6d3a3cc595a2e9db7027ee3871534a6f7f14d1ce23692
                                                                                                • Instruction Fuzzy Hash: 46116D316006149FCB24DB69C444B6AB7EAFF85610F2885A9D045CB265EB30ED89CB95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD6FB1 Relevance: .1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f133e055d272861664ec76dfd9c356e2c5fadf6710f9f864668aefa694054f9b
                                                                                                • Instruction ID: 8bd79b18475baa274e1dd81ca1b0e962d70c16c4a37394045f7348f3e256b931
                                                                                                • Opcode Fuzzy Hash: f133e055d272861664ec76dfd9c356e2c5fadf6710f9f864668aefa694054f9b
                                                                                                • Instruction Fuzzy Hash: 69117C72E102198FCB00EFACC8445EEBBF5EF49200B14866AD804F7204EB709A058BE1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDDF82 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7f79a9b52ec4926cf16c365be405435e333bfeaa55ca64f69ee20b6b7effb5ec
                                                                                                • Instruction ID: c2e5c8120736fcd87cb0a4943e5487f2f85a19934a79bc201725af30fe674bcb
                                                                                                • Opcode Fuzzy Hash: 7f79a9b52ec4926cf16c365be405435e333bfeaa55ca64f69ee20b6b7effb5ec
                                                                                                • Instruction Fuzzy Hash: 1C0161357042508FC715EB39E49496ABBE6EF8960571885AED046CB361CB75DC05CB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8EB8 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d427d9b638be27febc24ed4f0f31a20bebb7bb55296b77c77d417ca80a45c443
                                                                                                • Instruction ID: ea1fa820babac5b6215375df166ae7f1ce3938efd651a81e9fa310ba8fed28f1
                                                                                                • Opcode Fuzzy Hash: d427d9b638be27febc24ed4f0f31a20bebb7bb55296b77c77d417ca80a45c443
                                                                                                • Instruction Fuzzy Hash: EE115A35A002199BCB00DBA8C8407BFB7FAFFC4310F008859D918A7210DB789945CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD1DA Relevance: .0, Instructions: 48COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f61f69ce93da2ce102e4226d39ff1d6896103a07eaa91853a092249041d2e5f7
                                                                                                • Instruction ID: 45719dd9df36b0cab01b6e7139b963c685b0cf4a11502e61ec08d55816cb7c34
                                                                                                • Opcode Fuzzy Hash: f61f69ce93da2ce102e4226d39ff1d6896103a07eaa91853a092249041d2e5f7
                                                                                                • Instruction Fuzzy Hash: A601A7353001905FCB11D7ADD850F6E3FEA9FCAB61B4801E6E659DB391C950DC06C7A5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD1447 Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f745a24a92ee32df2b161c6a7227fae99159fe4681a2681dc15bd47a9637b417
                                                                                                • Instruction ID: 505446c7ae12a6bd628b51dc981b5e0e1b9aacac3c1b1024e8de07cde64ab980
                                                                                                • Opcode Fuzzy Hash: f745a24a92ee32df2b161c6a7227fae99159fe4681a2681dc15bd47a9637b417
                                                                                                • Instruction Fuzzy Hash: 68019239900205CFD764EF65C514B9EBBF6EF88300F108469D546AB394CB796905CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD6FC0 Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b3088cdb68a0982dcc3ddcab876a9b4a13a12542331800292cdb52f1511156cd
                                                                                                • Instruction ID: 980728bd5bf70c5e08ab406dc18561ad524ab0aa992dfd88dd9b8f0c07d20849
                                                                                                • Opcode Fuzzy Hash: b3088cdb68a0982dcc3ddcab876a9b4a13a12542331800292cdb52f1511156cd
                                                                                                • Instruction Fuzzy Hash: 40018071E102198FCB00EFACC8449EEFBF5EF48700B10866AD914F7200EB709A048BE1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD4BF1 Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 72240456caace2a0ea50083cd3ac89aec06fd0e9f99f5516f47653f06223e5b0
                                                                                                • Instruction ID: fe728ccf4c8a822410e9125724d506563371aa5636336bf31879761957176501
                                                                                                • Opcode Fuzzy Hash: 72240456caace2a0ea50083cd3ac89aec06fd0e9f99f5516f47653f06223e5b0
                                                                                                • Instruction Fuzzy Hash: 6511BA75D0060AAFCB41DFA8C5419EEBBF1FF49300F10869AE855EB211E770AA51CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDDF90 Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1d2a47a50f0e9b75f03c99fac2e85d62b093f5b0d6eaa2d0ef37bd68588b7478
                                                                                                • Instruction ID: b70dc33f13f2d1a610fab25fcb435cb043cbbd6581f549eaa23d964dd69a4091
                                                                                                • Opcode Fuzzy Hash: 1d2a47a50f0e9b75f03c99fac2e85d62b093f5b0d6eaa2d0ef37bd68588b7478
                                                                                                • Instruction Fuzzy Hash: F5017C35700200CFC729EB29E48892AB7EAEF8961571885AEE44ACB360CB71EC05CB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BCD01D Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449466136.0000000003BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BCD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bcd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5888bf4bff923a1e811f13ec5b0704cfd006d80bd3f57995df56e9b4efe8570b
                                                                                                • Instruction ID: b716cfc36785d4f079a00dbca9b8df4e96763a6711b8d9879c000c47c5f41a37
                                                                                                • Opcode Fuzzy Hash: 5888bf4bff923a1e811f13ec5b0704cfd006d80bd3f57995df56e9b4efe8570b
                                                                                                • Instruction Fuzzy Hash: F801F2755043809AD7318B2ECD84B67FFD8EF41328F08C4BEED084A286C2789802CAB1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3FFC Relevance: .0, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: baf06798c1ed053d019a78b910a4e9d8ddab0fdfa70e34aec5c0ac8c55532215
                                                                                                • Instruction ID: 2bc3a1719fc94caf616e7456c20ee6966e17a360658682bc0c8eaf1d94280a03
                                                                                                • Opcode Fuzzy Hash: baf06798c1ed053d019a78b910a4e9d8ddab0fdfa70e34aec5c0ac8c55532215
                                                                                                • Instruction Fuzzy Hash: 0C018675B106199F8B10EA68D9848FFF7F9FFC56107104629D505A7300E770EE0586E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BCD006 Relevance: .0, Instructions: 43COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449466136.0000000003BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BCD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bcd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6fd02dfdd096c0d3bc7d55904d17e124ccc96f75412501107f02a54e336aa7cd
                                                                                                • Instruction ID: d56fb9841841455fb61e9887fe531ced3534df3c106ce4f2605429a7fdfd40bb
                                                                                                • Opcode Fuzzy Hash: 6fd02dfdd096c0d3bc7d55904d17e124ccc96f75412501107f02a54e336aa7cd
                                                                                                • Instruction Fuzzy Hash: 8F01006250D3C09ED7228B258D94762BFA8DB52224F1D81DFDD848F197C2695845C772
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD4731 Relevance: .0, Instructions: 42COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9ac163025599d47f47d4e0890559ac532f04cb4af005d2ad39f135ed47ad241e
                                                                                                • Instruction ID: 9aec1a6e2f7b7d101df5e44d443bb016fb47be0b9ef3c50e383602be0ff3f63f
                                                                                                • Opcode Fuzzy Hash: 9ac163025599d47f47d4e0890559ac532f04cb4af005d2ad39f135ed47ad241e
                                                                                                • Instruction Fuzzy Hash: 7901AD2010D3D41FC703AB7898642E9BFB86F43100B0945EBD085DF1A3DA249C58C392
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD7DB0 Relevance: .0, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f619650230723672af32f8f3b0fe7947039f774e6b1dc6b99241bdab48e00283
                                                                                                • Instruction ID: dd917a15675eff3a7eef427d2b437d73db25f8ca85d3a2619668ce5558bee11a
                                                                                                • Opcode Fuzzy Hash: f619650230723672af32f8f3b0fe7947039f774e6b1dc6b99241bdab48e00283
                                                                                                • Instruction Fuzzy Hash: 96018135A006089BCB11FA68D8448EEF7B9FFC9210F008259E91567355EF34AA45CBE1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C7FA50 Relevance: .0, Instructions: 40COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7c401cfa542019c3864d5b4502c42d59f87f3fc5b73fcfdbe8c2f044000a9927
                                                                                                • Instruction ID: 0ae810da6192cef736eb84b79e7662bf70c2eb457407073b061a64a59dd639fd
                                                                                                • Opcode Fuzzy Hash: 7c401cfa542019c3864d5b4502c42d59f87f3fc5b73fcfdbe8c2f044000a9927
                                                                                                • Instruction Fuzzy Hash: 5DF02B76B0421447DB20E67E98543ABB69ADBC4F71F49807DD90ECB384CE68CD4213D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD59C2 Relevance: .0, Instructions: 39COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ae6f3490bb8a29f0984925cbd96fb38ae465989e1529334ca890300a932e4dde
                                                                                                • Instruction ID: 2d57e2f51664929c9acce58f2ce2d311b7d20a0193589c0fd6ca26f820bb89d1
                                                                                                • Opcode Fuzzy Hash: ae6f3490bb8a29f0984925cbd96fb38ae465989e1529334ca890300a932e4dde
                                                                                                • Instruction Fuzzy Hash: 1BF0A4343446A04FCB29DB399454A7A3BEAEFCAA00F0850FAE445CF261DB209C068751
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD4C00 Relevance: .0, Instructions: 39COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d7f8e51a7d7370061d4b8a6b766d041164ac6169decc601b55ace851344566c9
                                                                                                • Instruction ID: 99899daf827dec191f2e29aba764eaa91a0d4bed74ead71c809bf5b6e4042acc
                                                                                                • Opcode Fuzzy Hash: d7f8e51a7d7370061d4b8a6b766d041164ac6169decc601b55ace851344566c9
                                                                                                • Instruction Fuzzy Hash: 1D016775D0061DAFCF41EFA8C5449EEBBF5FF48210F10855AE859A7310E770AA50DBA2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD5774 Relevance: .0, Instructions: 38COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0d99f0e9f5af15ff6f737ec12a6a6e0dde1d9b118e8b7513233975d5587e2dea
                                                                                                • Instruction ID: d53e9f68ee2a4f4adfa0f278a356e37072527fe88dd683d4a8da715831722644
                                                                                                • Opcode Fuzzy Hash: 0d99f0e9f5af15ff6f737ec12a6a6e0dde1d9b118e8b7513233975d5587e2dea
                                                                                                • Instruction Fuzzy Hash: B1F01736750A118FC304DB6DE94486AB7F9FFCAA2135545AAE249D7724EA61E8008B90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BCD777 Relevance: .0, Instructions: 37COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449466136.0000000003BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BCD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bcd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ee93ac97d81d0c5522831f9572d0134790e70fd3577c18258d2a76d815dc91e6
                                                                                                • Instruction ID: fd4d4ab321e9f73f2946e7c3b53d1be7fb94f74dc93d58e9fdefb472e9af55a3
                                                                                                • Opcode Fuzzy Hash: ee93ac97d81d0c5522831f9572d0134790e70fd3577c18258d2a76d815dc91e6
                                                                                                • Instruction Fuzzy Hash: 2DF0F9B6600640AFD720DF0AD984C23FBEDEBD4674719C5AEE84A4B751C671EC42CEA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C7281A Relevance: .0, Instructions: 36COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2b19543e7351bbb7d7f4e07af88c91df38ab1dda93a7fd9465e7095c229b4e2c
                                                                                                • Instruction ID: c9c7de42a2edaecdd003dcc709bdddde3ab1af74cfd3d3b414ba7bcbd877cf47
                                                                                                • Opcode Fuzzy Hash: 2b19543e7351bbb7d7f4e07af88c91df38ab1dda93a7fd9465e7095c229b4e2c
                                                                                                • Instruction Fuzzy Hash: 11010C35B442188BDB549F34E41863837E6BB48341F04856AE807E7354DA35CE428F42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03BCD768 Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2449466136.0000000003BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03BCD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3bcd000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 935c414fdfe5e970935dcce440244e65e2a48815b063d1ed251d817bc5fe597c
                                                                                                • Instruction ID: 50aeb9ae1703741409efbb41fe13f9849bde9cb260fc733457f2775d76695621
                                                                                                • Opcode Fuzzy Hash: 935c414fdfe5e970935dcce440244e65e2a48815b063d1ed251d817bc5fe597c
                                                                                                • Instruction Fuzzy Hash: 8FF0EC75104A80AFD725CF15C984C22BBF9EF89664719859EE8494B352C671FC42CF60
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3C20 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 60451afb3299d903b002be8f86213644c6f9dd5737f47d379d472d1d3d12657b
                                                                                                • Instruction ID: 645d234ffffc3668fd97db2db67ba91bc3b19873c6ac9a1f73b7c1e049328183
                                                                                                • Opcode Fuzzy Hash: 60451afb3299d903b002be8f86213644c6f9dd5737f47d379d472d1d3d12657b
                                                                                                • Instruction Fuzzy Hash: 3EF090353086A08FC31587ADE894AB17BE5AB9A500F5981EAE0C6CB372C664D805DB61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD2302 Relevance: .0, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d5b1b369ea3dc49b185d94875d7ca3c52ff556c0dbefd8c9fd955d7773a08cb7
                                                                                                • Instruction ID: c3acd07bb878d5031fcfdf6ba19bec7686f17f32a5657b662733240d77be7c09
                                                                                                • Opcode Fuzzy Hash: d5b1b369ea3dc49b185d94875d7ca3c52ff556c0dbefd8c9fd955d7773a08cb7
                                                                                                • Instruction Fuzzy Hash: 59F0F031908788CFCB02EB38D8919E67FB0EF86300B0892CAE0889F136D770A480CB51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD228 Relevance: .0, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 863e8d5a767766bdb6eba4615d40596f0763308e5327dc46e0919be94e0f8883
                                                                                                • Instruction ID: cf9a76a8f29233c14b6768e632e0c72f58c0faa11dc378d544c313af68df01dc
                                                                                                • Opcode Fuzzy Hash: 863e8d5a767766bdb6eba4615d40596f0763308e5327dc46e0919be94e0f8883
                                                                                                • Instruction Fuzzy Hash: FAE0653F300154574A05B5EEA80096FBA9BDFC6AA1305403AEA09DB350DD258D16C7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD59D0 Relevance: .0, Instructions: 32COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8eb4f0e4eb73fbc03416cb8be2568c54e57143220fbe1761e819fe7764e198ca
                                                                                                • Instruction ID: 29abdd01535a5eb7ca9a8cc48c0483dd3b71955a1ffaacc4ac635596ac9cd9ff
                                                                                                • Opcode Fuzzy Hash: 8eb4f0e4eb73fbc03416cb8be2568c54e57143220fbe1761e819fe7764e198ca
                                                                                                • Instruction Fuzzy Hash: 64F05E347406258FD728DB29D449A6A37EABFC9A10F0450B9E509CB360DF70EC018795
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD6D49 Relevance: .0, Instructions: 32COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ca04a24cb457ff48664e6babac5a6ee5c8ed2747b534d84138ad782f703866cf
                                                                                                • Instruction ID: 142897b0c0aec33b5d958bcf7bdbb146432bd44ebc8fa6ce89561f4150f584f4
                                                                                                • Opcode Fuzzy Hash: ca04a24cb457ff48664e6babac5a6ee5c8ed2747b534d84138ad782f703866cf
                                                                                                • Instruction Fuzzy Hash: 5AF08C317156809FC700DB6DD854D55BBF8EF8BA1030A00EAE144CB336DAA0E8008B91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8C59 Relevance: .0, Instructions: 31COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0ab9e5c655fd242cec11016eba9d2acbe3fbf5ad0fe643492c8fb08bd499ecba
                                                                                                • Instruction ID: 94b458b2cba50fd45d70be88b89882adb058d01188437dd36e9961780aeb67e8
                                                                                                • Opcode Fuzzy Hash: 0ab9e5c655fd242cec11016eba9d2acbe3fbf5ad0fe643492c8fb08bd499ecba
                                                                                                • Instruction Fuzzy Hash: 3EF0FE34245690CFD7239B389850BE77BE6EFC6310F1544AAC0998B296CA729845DBA2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3BD0 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0ee036be9e3860024eab95d34f26569ac87fe519e370209a3e5964e4c16bdf67
                                                                                                • Instruction ID: 13a3b3712e4d670bb702e0727a3b19f3578e21fae143fef03dba6da132895a10
                                                                                                • Opcode Fuzzy Hash: 0ee036be9e3860024eab95d34f26569ac87fe519e370209a3e5964e4c16bdf67
                                                                                                • Instruction Fuzzy Hash: 6AF054303096E08FC716873CE4A4AB57FF16F5B201B2D41EAE0C6CB362C6505C05DB61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8CF9 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 418c572a76e1d71e6a9db1b94e793acb5a62384a4b53d26fc45aab10e302b550
                                                                                                • Instruction ID: 8d46caf06b0884231e155eb354aa337dd0872f490f40a10da1da6835e385346f
                                                                                                • Opcode Fuzzy Hash: 418c572a76e1d71e6a9db1b94e793acb5a62384a4b53d26fc45aab10e302b550
                                                                                                • Instruction Fuzzy Hash: 09E06526B493E00FCB0AE6B858609AE3FAF9F86651B1540E6D545CBAC6CD649C0183A5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD7274 Relevance: .0, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6e90c0978899cadb48664d7407f07e87adf09e0c129f98e3f1a4825e3386d02e
                                                                                                • Instruction ID: 0efce41ff7286df59bd518c7937f366356f24fcc4c36b4b93d34f0a0add1b163
                                                                                                • Opcode Fuzzy Hash: 6e90c0978899cadb48664d7407f07e87adf09e0c129f98e3f1a4825e3386d02e
                                                                                                • Instruction Fuzzy Hash: A1E06D34292304DBD322E67D8480BEBB6EAEFC9760F004879D15A8B254CA72EC45C7A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD1FB0 Relevance: .0, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2ad0dcdfd56621e3ddc0e25bb5450a89f89f277d2232cacd8559f03a846c69fa
                                                                                                • Instruction ID: 465eaa21987ea8069d88017a07edbf5c189d7c632adbf4028b252fac2720f153
                                                                                                • Opcode Fuzzy Hash: 2ad0dcdfd56621e3ddc0e25bb5450a89f89f277d2232cacd8559f03a846c69fa
                                                                                                • Instruction Fuzzy Hash: 26E0928800E2E06EDB8753395CB4BB33F748E53200B9A20D2D8C1CE0A7C10418199BB3
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD110 Relevance: .0, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 84759803656fe2509e7b0a73865a8131e22e85f8969984ef21f65998a3f4e1df
                                                                                                • Instruction ID: 66b4bbfba6807f8ff773d8b9ae9a5a25dc34dc953fb5aad1f610f855d0cae920
                                                                                                • Opcode Fuzzy Hash: 84759803656fe2509e7b0a73865a8131e22e85f8969984ef21f65998a3f4e1df
                                                                                                • Instruction Fuzzy Hash: 84F0653004C2C4AFCB02ABF4E875555BFBC9F8B210B5C44E6E0C88A157C611E416C796
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8D08 Relevance: .0, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3aaaa639d2602b00fb614a4b9a819098b6093deb0c928cb375825a3bdf72ce49
                                                                                                • Instruction ID: 5538eceb369cd6a80508f9d2b902ec14ff036c0ca151510b84dc779cb3f0cbeb
                                                                                                • Opcode Fuzzy Hash: 3aaaa639d2602b00fb614a4b9a819098b6093deb0c928cb375825a3bdf72ce49
                                                                                                • Instruction Fuzzy Hash: 19E04F2AB502211BC71476FC64145AE75DEDBC5A61F1040B5D505C7BC4CD749D0143A5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDEB8F Relevance: .0, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fb02992439e2ca095b6e1a32acd8fec5538db44086696eb45e48c95ceb6cb9d9
                                                                                                • Instruction ID: 4fe6d36bdd44e311add41052a2994b3ada7cdcacab6b32565b109a568795c3a0
                                                                                                • Opcode Fuzzy Hash: fb02992439e2ca095b6e1a32acd8fec5538db44086696eb45e48c95ceb6cb9d9
                                                                                                • Instruction Fuzzy Hash: D9E04F3820A3448FDB26EF35846072237A5AF8A505B5908FD908ACF252C73AF456C712
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDE028 Relevance: .0, Instructions: 24COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 434c345f7dbcbd20b118197fd923aada988170adeb7362f5d6b4efbdeee3f319
                                                                                                • Instruction ID: 2b9ed92d059a5cdf69ea5d703c15959cea04129458f05e796872dc2ef3f17b1b
                                                                                                • Opcode Fuzzy Hash: 434c345f7dbcbd20b118197fd923aada988170adeb7362f5d6b4efbdeee3f319
                                                                                                • Instruction Fuzzy Hash: 13E0123435A7098BDB59EE7554505377399EBD4A193140CBDE40ECF650EA32E452C511
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3BE0 Relevance: .0, Instructions: 22COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: db84ca6d2be985bb6d6243e00b4404ae06192fb17e5612e94da19ce3d0eb6d4e
                                                                                                • Instruction ID: ca1783accd5ebfa8d2a491e3c16ad09e03f8027a7acd6f8a986786c97ef16048
                                                                                                • Opcode Fuzzy Hash: db84ca6d2be985bb6d6243e00b4404ae06192fb17e5612e94da19ce3d0eb6d4e
                                                                                                • Instruction Fuzzy Hash: 5CE04835304650CFC714D76DE494EA577E9BF8A611F1880EAF086C7361CB61AC00DB61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD7324 Relevance: .0, Instructions: 21COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f1d5a9b377d144c3a07045e5e4bed422432d4a13c6dc0d4c62b43bcc53780eb0
                                                                                                • Instruction ID: 6d5e913c02680fc123bbd9a44a617f5e6ad76455e618305213b5d3f13f97416f
                                                                                                • Opcode Fuzzy Hash: f1d5a9b377d144c3a07045e5e4bed422432d4a13c6dc0d4c62b43bcc53780eb0
                                                                                                • Instruction Fuzzy Hash: 8BD02B2038D3605BC715616E18542EBBECBDB4A324F04445EF55DC3301CD56A804436A
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD1E8 Relevance: .0, Instructions: 20COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a8b97b2e93ad100970bc6281acbe8565717b54f2e5282a516de242b89c3a64ae
                                                                                                • Instruction ID: 216cfbe0b33722ae852a5ef3a7adb8f07efa5f4f2de199dac1064e9788c28355
                                                                                                • Opcode Fuzzy Hash: a8b97b2e93ad100970bc6281acbe8565717b54f2e5282a516de242b89c3a64ae
                                                                                                • Instruction Fuzzy Hash: 03D0173A3402105FC210965ED848FAA37EEDBC9A21F1440BAF20ACB3A0CAA1AC018790
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDC6D0 Relevance: .0, Instructions: 20COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 905fef086f83e3fc2fcfb84b5f412432db074f37c863120a8d76eb7e2f723d2f
                                                                                                • Instruction ID: dba4aafd2f272ce07d81666551b0411c351a56b015410ee8cbd0105ff620c541
                                                                                                • Opcode Fuzzy Hash: 905fef086f83e3fc2fcfb84b5f412432db074f37c863120a8d76eb7e2f723d2f
                                                                                                • Instruction Fuzzy Hash: DBD05B323405145BCA1556499400DAA77DEDBC9714F058066E649CB351CE61AC024795
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C72A43 Relevance: .0, Instructions: 19COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 53475633d160917b9c60ebadc6a99d2c217b07ed40e01ec07b2c9fdc6f31e49e
                                                                                                • Instruction ID: 0974b5b2e62c00d3b589f609878dc429c4501d2375cf9511f16c4c1a72c450a4
                                                                                                • Opcode Fuzzy Hash: 53475633d160917b9c60ebadc6a99d2c217b07ed40e01ec07b2c9fdc6f31e49e
                                                                                                • Instruction Fuzzy Hash: 87E0ED74A44214CBDB589F71D85C2397AEAEB88342F048576E816D6358EE358A42CB05
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD53B9 Relevance: .0, Instructions: 19COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b910e6d9b523102de1fd0a143f749a2d04872bb1c5e31bf22621a21d9835dfa0
                                                                                                • Instruction ID: 5fdd5d8154a3af6e9d6f05fc5ad24d19657e95ab6d6f0944bdd4d5ecdf8cd442
                                                                                                • Opcode Fuzzy Hash: b910e6d9b523102de1fd0a143f749a2d04872bb1c5e31bf22621a21d9835dfa0
                                                                                                • Instruction Fuzzy Hash: 32E0BF36A05109EBDF01DFC0E951BDEBB72FF48311F104115FA1127290C7729A25DB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3BA2 Relevance: .0, Instructions: 18COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bb74edd62edec49fd6082fe374838761d4408c244f71135838bdcaa08cb19e95
                                                                                                • Instruction ID: c116d8a7069f5e2fee818fdd2130f5028a7a9174d2cf7f807300d2026dc2d84f
                                                                                                • Opcode Fuzzy Hash: bb74edd62edec49fd6082fe374838761d4408c244f71135838bdcaa08cb19e95
                                                                                                • Instruction Fuzzy Hash: BCE0123024C2850FD702C669C851A61BFA18FAB61471891FA9448CB757D926DD02D751
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C78710 Relevance: .0, Instructions: 17COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6bcd6bfa0da87bbcd7703487d737a91e597db2dddbc89977fcc72880d3a4982d
                                                                                                • Instruction ID: a65ee18589142481ece40d94a44fc1063cc113366fea9db6ca00cc5386280745
                                                                                                • Opcode Fuzzy Hash: 6bcd6bfa0da87bbcd7703487d737a91e597db2dddbc89977fcc72880d3a4982d
                                                                                                • Instruction Fuzzy Hash: C5D05E353553268BCB85DFA8E859B3A33E9B788604F449068D809CFB49EF34ED028F41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD1B2 Relevance: .0, Instructions: 17COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 070ac5c12cdcbadb4ee3589cedc39f3de85711a9353864bd68319430c798a143
                                                                                                • Instruction ID: faa0cf28dffd65662380029c0642a8cea072db273b26127703159641a20cf9b6
                                                                                                • Opcode Fuzzy Hash: 070ac5c12cdcbadb4ee3589cedc39f3de85711a9353864bd68319430c798a143
                                                                                                • Instruction Fuzzy Hash: DFD05E30209B841FC706C76CCC61921BFA5DF8B228358C1DAE5A9CB6E3D522ED13D7A5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDEBB8 Relevance: .0, Instructions: 17COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 545a0c640afcbbbae55c31717a585fd3b1ab137b68e81559e859968b018eb215
                                                                                                • Instruction ID: 7f70fe31fbcb10c4126132dc13358902f509d8262ec4352676e5026fcb2b51ba
                                                                                                • Opcode Fuzzy Hash: 545a0c640afcbbbae55c31717a585fd3b1ab137b68e81559e859968b018eb215
                                                                                                • Instruction Fuzzy Hash: 91D05E301093988FCB26DB7184914967BB1AE5620032459EEC086CF566D732E462CB11
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDBA50 Relevance: .0, Instructions: 17COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1acf62a80da2da075fb8e1c68f99b6b21d1d87684ff12127f7b8f0af9df4db69
                                                                                                • Instruction ID: 85fd7f6e0577bbcaf4e5fd0cf4d29d00810b7d5c56f88925a8d3ecf631c6d385
                                                                                                • Opcode Fuzzy Hash: 1acf62a80da2da075fb8e1c68f99b6b21d1d87684ff12127f7b8f0af9df4db69
                                                                                                • Instruction Fuzzy Hash: 5FD02332350014BFC94135D85C009B67B5DFF45754F90544DF3059F021C953EC078385
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3470 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a3b0e4816d83ccbd6d3b56b64794351769dadd187e4fd600b1a97279560171aa
                                                                                                • Instruction ID: 62e3db31837f6633add3d9cc21bbeebf076ea154a8edf952c45ec5f5394f20c2
                                                                                                • Opcode Fuzzy Hash: a3b0e4816d83ccbd6d3b56b64794351769dadd187e4fd600b1a97279560171aa
                                                                                                • Instruction Fuzzy Hash: 10D05E343082408FC309CB68C850810BBF29FAA20431484DAE44DCB7A2E632ED12C710
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C79E38 Relevance: .0, Instructions: 15COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 31b4219ff31f99053be7779790a0080442aaa0cd46a1329f8907a1ad84986354
                                                                                                • Instruction ID: 53261ee00f616ff252af3e3935c6a590f2d5012c21f0918a963f10cf8819d90b
                                                                                                • Opcode Fuzzy Hash: 31b4219ff31f99053be7779790a0080442aaa0cd46a1329f8907a1ad84986354
                                                                                                • Instruction Fuzzy Hash: ACD05E71C44208ABCB05EFF0D90044E7BE9DB4924070004A59805C7210FA318E145BD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C7FF68 Relevance: .0, Instructions: 14COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
                                                                                                • Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
                                                                                                • Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
                                                                                                • Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD2310 Relevance: .0, Instructions: 13COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1d076be4cccba85d7447610ccdb31589ecccc60859d13d12e32bc259b0831c95
                                                                                                • Instruction ID: 84a2bb165b2f29ceeb1c88bcfdfe996f2330e133f4c0aec970da2b7cba76a518
                                                                                                • Opcode Fuzzy Hash: 1d076be4cccba85d7447610ccdb31589ecccc60859d13d12e32bc259b0831c95
                                                                                                • Instruction Fuzzy Hash: 60D09E31414B0DCEC700FF68D445895BBB8EF95310B01869AE5495B232EB70E9D0DB81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8F71 Relevance: .0, Instructions: 13COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 87fe8aa7106f0593da70ca967de1096be4c452d6c0788d9af60753998f504fae
                                                                                                • Instruction ID: 9decbb55dc3cebb934e8de232530a5f111403a8ef174ed8df0f17e60330373c3
                                                                                                • Opcode Fuzzy Hash: 87fe8aa7106f0593da70ca967de1096be4c452d6c0788d9af60753998f504fae
                                                                                                • Instruction Fuzzy Hash: 8ED0123404E3C40FCB1347752C742917FB8D91711838A94DFD4C98B103D05195499B63
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C70D68 Relevance: .0, Instructions: 12COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9a72a9c90404f9b4a7ee35afa4c9118119516027d1f6196dd80bd9da66e09f42
                                                                                                • Instruction ID: 14556d1cf5476b97cdd52c15168ac811401929175e4121c0c3dcede3f2316240
                                                                                                • Opcode Fuzzy Hash: 9a72a9c90404f9b4a7ee35afa4c9118119516027d1f6196dd80bd9da66e09f42
                                                                                                • Instruction Fuzzy Hash: 33D0C97169E282DFC7432B60F8581CA7FE0797B24130A2093E0A58A5A6CA148A8BC716
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3BB0 Relevance: .0, Instructions: 12COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
                                                                                                • Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
                                                                                                • Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
                                                                                                • Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C74A38 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 463c8a0e74875f5b867a687e9537723e835b7875af59dfb310754fb0fcfbffb3
                                                                                                • Instruction ID: 33ba5822f0c2aa4d474a855b26fb6d00d30e4245983505b04cbfa81a40317446
                                                                                                • Opcode Fuzzy Hash: 463c8a0e74875f5b867a687e9537723e835b7875af59dfb310754fb0fcfbffb3
                                                                                                • Instruction Fuzzy Hash: 27D06778A542588FCB94DB64D86C36C7BF5BB48345F0040A9D90AE3384DA348E81CF01
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD1C0 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                                                                                                • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3480 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                                                                                                • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3452 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7faa56c24dc9f395f09c58604029c887a833234ce59f6b1e72b5483400f94a95
                                                                                                • Instruction ID: 2b7e67af434f67977e8d04de7638302af522f1823ed990c4d92cef7f0c553cd4
                                                                                                • Opcode Fuzzy Hash: 7faa56c24dc9f395f09c58604029c887a833234ce59f6b1e72b5483400f94a95
                                                                                                • Instruction Fuzzy Hash: 3CD0123400E294EFCB035BA4C8A18A53F34AE2731170A40DBE9858A863C32519A5DBA3
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD193 Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ce341a92f2cc0ae99eda9bebfe460e00e58c3b6b9d922460a55d36cb9f5997d1
                                                                                                • Instruction ID: b6fd3cd630481526d40889ffcd71bcef801bc8e4b097d21ad5aa56ee48cf320f
                                                                                                • Opcode Fuzzy Hash: ce341a92f2cc0ae99eda9bebfe460e00e58c3b6b9d922460a55d36cb9f5997d1
                                                                                                • Instruction Fuzzy Hash: 71C0123004D284AFC7026B94E8659457FBC9F47200B4448A2E0808B123C221E415D796
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDBA21 Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c65766ecb2fe064680738a42485078fa08faee2ba8b84cb7bfdc2b31f6d7d916
                                                                                                • Instruction ID: 02f39ff7190e3c71df375803988eeb05bcfd139a67c3c6c4b98f5d0a7b2ea4bc
                                                                                                • Opcode Fuzzy Hash: c65766ecb2fe064680738a42485078fa08faee2ba8b84cb7bfdc2b31f6d7d916
                                                                                                • Instruction Fuzzy Hash: D7C02B120883C808D74223712841B43BF584732319F5620C6C00C0A0C3E1C468085251
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD2D2C Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5b5907e73656e185bea26c7b59384239d30a7302b52d0a0d00e1f07480039727
                                                                                                • Instruction ID: 62c450ec0c839147b4a1a2337f6b16ac29053a76e2e7fb22a5a34f5491705cac
                                                                                                • Opcode Fuzzy Hash: 5b5907e73656e185bea26c7b59384239d30a7302b52d0a0d00e1f07480039727
                                                                                                • Instruction Fuzzy Hash: 22C0123A74010ACFCB00CB98E484AE87370FB89326F0000B1E6088B324C3306815CB80
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C7A8C8 Relevance: .0, Instructions: 9COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b767d2471ae05433642c1c63db4623eb0b68c2c048c98c314168b5d93b7e0e37
                                                                                                • Instruction ID: fadc1d098a1357517302f9f57cd626bfc366953634d30f2a3619c02e658162e0
                                                                                                • Opcode Fuzzy Hash: b767d2471ae05433642c1c63db4623eb0b68c2c048c98c314168b5d93b7e0e37
                                                                                                • Instruction Fuzzy Hash: D5B092312881094BE244EA98D842A24B35ADBC0618B58C0BD980C8BA46CA3BE8038684
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD4740 Relevance: .0, Instructions: 9COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 74512c6f368d42f7bab83795e3bbcb065dd7e4d458792f81b6fba6a1a0e4d8ba
                                                                                                • Instruction ID: 29961e7220fc229d7455c841f71dd7a93596d0b8cfdfb829045c85f7d13e18ab
                                                                                                • Opcode Fuzzy Hash: 74512c6f368d42f7bab83795e3bbcb065dd7e4d458792f81b6fba6a1a0e4d8ba
                                                                                                • Instruction Fuzzy Hash: F0C04C3245460C498740BBA8E80149DFBACEA51640F408226D9496A110FA20A2A89691
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C7FA20 Relevance: .0, Instructions: 8COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6de034162ab7f8e9ad5744a719579ecd81afa5a7ee3f37fc1c8cc87ce5df0915
                                                                                                • Instruction ID: b77d57288956f594f4bc8ab3099e78af6b6769f7272c394a0cf62d02c164968b
                                                                                                • Opcode Fuzzy Hash: 6de034162ab7f8e9ad5744a719579ecd81afa5a7ee3f37fc1c8cc87ce5df0915
                                                                                                • Instruction Fuzzy Hash: A2B0127415830CC7DE2237DCA4342D73BEEC7D451BF414478910D07A409D59E90215E2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD53B0 Relevance: .0, Instructions: 8COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                                                                                • Instruction ID: 694001792f22e0055fa43b49034efa2d472abfb1ce40b5e56c8e6a3e9856d5e5
                                                                                                • Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                                                                                • Instruction Fuzzy Hash: 53B09237E0400889DB109A84B4417EEF720E780225F104023C2615244183B2417496D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD1DE8 Relevance: .0, Instructions: 8COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7f358ace9823340262ae0d5133d3238390c3df88e192b3738c3bf073b32cea1a
                                                                                                • Instruction ID: a331ba327e05542c95b9cb6405da71eedd4ba67d06b55443651db796bb3bd612
                                                                                                • Opcode Fuzzy Hash: 7f358ace9823340262ae0d5133d3238390c3df88e192b3738c3bf073b32cea1a
                                                                                                • Instruction Fuzzy Hash: 41B09235184609CFC310AB58D949E607BA9EF44605B0580F0E1088BA32D622F8008B44
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C7F9C8 Relevance: .0, Instructions: 7COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3640d95ea291a0fc44eaa6c2df7ed0d1fcc5d0add5354dadf22ea5d1c6224ee4
                                                                                                • Instruction ID: a5fa9a848c9cef3a1f0bf71c75560096da86080c2bf6543c09d812b72b305170
                                                                                                • Opcode Fuzzy Hash: 3640d95ea291a0fc44eaa6c2df7ed0d1fcc5d0add5354dadf22ea5d1c6224ee4
                                                                                                • Instruction Fuzzy Hash: 9CB012340C8B08CB8641F7B0FC0E0083FDCF9015623440010E40EC0500FE21A50387D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C70D78 Relevance: .0, Instructions: 7COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 63883b7038644431f5fc2242f08fe026f910c200b89ed01d34acf57ef3bbf135
                                                                                                • Instruction ID: fab4a7c5e2a16642371183463628661fc1759f0b583fe534007d810e564e32e6
                                                                                                • Opcode Fuzzy Hash: 63883b7038644431f5fc2242f08fe026f910c200b89ed01d34acf57ef3bbf135
                                                                                                • Instruction Fuzzy Hash: 78B0923009C108CFC6422BA0F80C04A7BE8BA403023800020E00A80052CF20AA42CA89
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C79000 Relevance: .0, Instructions: 7COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
                                                                                                • Instruction ID: 7de4840db72a739a7296ecabbd3d178890c8b70a70b6a7fce96b4b1d731f9c0f
                                                                                                • Opcode Fuzzy Hash: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
                                                                                                • Instruction Fuzzy Hash: 6AB092341502088F82409B59D449C00BBE8AF08A243454090E1088B632C621F8008A40
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C78FC0 Relevance: .0, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c63ccd231820c7cbf34b02979d153261a0665780ec0bb7f16299e3f88e3d0342
                                                                                                • Instruction ID: 48b7834339e78c51d8bb45c584aaae082cebe8ebf0c9b0ccbd238d49cf6e0f1f
                                                                                                • Opcode Fuzzy Hash: c63ccd231820c7cbf34b02979d153261a0665780ec0bb7f16299e3f88e3d0342
                                                                                                • Instruction Fuzzy Hash: 47A0243004570CC7C3043774700505033DCD5001173C00074D10C00750C737D051CFD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C78FE0 Relevance: .0, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6517f496a00ba38ad5b24dbf8d04ed5bb3d23868d82863672c56e1ec0ae35b76
                                                                                                • Instruction ID: c093beb771e4e2981aa982fbfe7f2b4411de4349430f5c1b6ad4d150743c70d9
                                                                                                • Opcode Fuzzy Hash: 6517f496a00ba38ad5b24dbf8d04ed5bb3d23868d82863672c56e1ec0ae35b76
                                                                                                • Instruction Fuzzy Hash: 38A0123004420C8781005644E80645077AC9644516340405D940D022518B13F802C9D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C78640 Relevance: .0, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3d1f22fe87cde3ed64321900d6ebbcd6dce45041b7d22274f7a8e609cd13b368
                                                                                                • Instruction ID: 91c144a82d4f0d19e2bbf58b460e2878d890492c70070397352cc047539ffdba
                                                                                                • Opcode Fuzzy Hash: 3d1f22fe87cde3ed64321900d6ebbcd6dce45041b7d22274f7a8e609cd13b368
                                                                                                • Instruction Fuzzy Hash: 23B0123104410CE787011A81E80484A7F9CE7103507044021F50400010C7329521D5D8
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C78600 Relevance: .0, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4110430d90d9e47b7091ee2693bda7662819330e5196cdf8bd042d88932a946f
                                                                                                • Instruction ID: 0938aaf70b5421b8f393bad0bfade79dbda25e04388ad60d39ae274a123b7042
                                                                                                • Opcode Fuzzy Hash: 4110430d90d9e47b7091ee2693bda7662819330e5196cdf8bd042d88932a946f
                                                                                                • Instruction Fuzzy Hash: 88A0223000AF0C8E8200B2B02C00020338C0800008B8000B88A0CCCA208833E0A28288
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C78CB0 Relevance: .0, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e3336d5211f0ff9fff38cc453e794cc09ae6b62e2187588511da2d832355fabf
                                                                                                • Instruction ID: a4f0eaf3d51852e2078ed4d7143621cfa6aebafa9cf5ba2ef012ee806baf18bd
                                                                                                • Opcode Fuzzy Hash: e3336d5211f0ff9fff38cc453e794cc09ae6b62e2187588511da2d832355fabf
                                                                                                • Instruction Fuzzy Hash: 0DA02238002B0CC28A2032BA2200022338C080002838000B88A0C8CA300833E0A0C080
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDD1A0 Relevance: .0, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9f0cebcfec9ffd70740535174eefd55b16a3f09ce289196467ea486239cd7639
                                                                                                • Instruction ID: 35d517994cc927a7d34af8491b25a465c04fa83340f0b60ff21b41deeafff69b
                                                                                                • Opcode Fuzzy Hash: 9f0cebcfec9ffd70740535174eefd55b16a3f09ce289196467ea486239cd7639
                                                                                                • Instruction Fuzzy Hash: FCB0123104010CB787012A81FC088457F6CE710350B004021F504011118732A5209694
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD3460 Relevance: .0, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ed3ac635057abbd52ddd3510f83243b3018b3549cd643fdae10e072342176109
                                                                                                • Instruction ID: f469084649896f4cf2eeab3fbfca3c9dc3e9f00376b641d4b420f2551cc0a90b
                                                                                                • Opcode Fuzzy Hash: ed3ac635057abbd52ddd3510f83243b3018b3549cd643fdae10e072342176109
                                                                                                • Instruction Fuzzy Hash: 96B0123100410CFB8A012A41D8048C57F1DD7202617004025F50400010873255619596
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD8F80 Relevance: .0, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b295666547528d2f527c05878ccaa09b85462c18bcef1073196742a2d2c0f959
                                                                                                • Instruction ID: c2bccb30bed8ff41b0f62f740e5e7f06ee9e72e7ca36fff7e38ffbda8990f000
                                                                                                • Opcode Fuzzy Hash: b295666547528d2f527c05878ccaa09b85462c18bcef1073196742a2d2c0f959
                                                                                                • Instruction Fuzzy Hash: CDB012300443084F42009BE178041007BECD1141243800035D40D41202E52190404E41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C78530 Relevance: .0, Instructions: 5COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a8b1495f61cb46e799501ad2e52a70839ecfdf7988e84f5f439d4e6b00b83144
                                                                                                • Instruction ID: dc2b2b456387cbb95f0c7a01846be18836be904204ee7ed78d3853b5841a936c
                                                                                                • Opcode Fuzzy Hash: a8b1495f61cb46e799501ad2e52a70839ecfdf7988e84f5f439d4e6b00b83144
                                                                                                • Instruction Fuzzy Hash:
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DDBA30 Relevance: .0, Instructions: 5COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f04bad20b2d9f5d029f5aeb2eeedc9882821600c1db60e1c1dac02ba281921a9
                                                                                                • Instruction ID: 26a2ab38c0bc5442436c4465b0d529d08a1ad38278f435452dd5dce81d0aef38
                                                                                                • Opcode Fuzzy Hash: f04bad20b2d9f5d029f5aeb2eeedc9882821600c1db60e1c1dac02ba281921a9
                                                                                                • Instruction Fuzzy Hash:
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Non-executed Functions

                                                                                                Function 03C7118D Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $'bq$$'bq
                                                                                                • API String ID: 0-1076528801
                                                                                                • Opcode ID: 144976f5f218de564fa4d006deca9ddc4dbb769ad01cb72d59cef4d09cdaa295
                                                                                                • Instruction ID: 2e28947301a781968d134582ea0dd5869051b4018af62eec048c47409d505b06
                                                                                                • Opcode Fuzzy Hash: 144976f5f218de564fa4d006deca9ddc4dbb769ad01cb72d59cef4d09cdaa295
                                                                                                • Instruction Fuzzy Hash: CA615371A456848FD74ADF7AE940AAA7BF3BFC8300F14C179C4099B668DF345A068F51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03C711A8 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2450417820.0000000003C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3c70000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $'bq$$'bq
                                                                                                • API String ID: 0-1076528801
                                                                                                • Opcode ID: 771efbaa62df2d71fd4be9dfb7e4f5ae0c50da62d38af91486ca48394929fd27
                                                                                                • Instruction ID: eed8539a3b9f2f5b191260e07630244fabe8558c4f30de2c8ee1d9f7647d664b
                                                                                                • Opcode Fuzzy Hash: 771efbaa62df2d71fd4be9dfb7e4f5ae0c50da62d38af91486ca48394929fd27
                                                                                                • Instruction Fuzzy Hash: F6515171A456848FD78ADF7AE940BAA7BF3BBC8300F14C179C4099B668DF345A068F51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DC2420 Relevance: .2, Instructions: 211COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452292197.0000000003DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dc0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 88628305e227830774ae747623b3b09dd294dee9ba03617937adc264f4943dd4
                                                                                                • Instruction ID: 2ecafbacda27e435e4fe03b10c2393611916c99ea0b8f6d542ac97c523cf55b2
                                                                                                • Opcode Fuzzy Hash: 88628305e227830774ae747623b3b09dd294dee9ba03617937adc264f4943dd4
                                                                                                • Instruction Fuzzy Hash: 6881F872D10619CBCB04DFA5D8402EEFBB2FF94300F19C13AD465AB698EB399656CB40
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DC2978 Relevance: .2, Instructions: 211COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452292197.0000000003DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dc0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bfd2274d15e8095d64ebaadf97eef3c59f3d75e2dd99bb37a329ac6031804e08
                                                                                                • Instruction ID: 6da903c3d40eb217d218eb89e8e625b755ababd0a60d9330e6087654a95ca8f5
                                                                                                • Opcode Fuzzy Hash: bfd2274d15e8095d64ebaadf97eef3c59f3d75e2dd99bb37a329ac6031804e08
                                                                                                • Instruction Fuzzy Hash: 6E81D672D10609CBCB14DFA5D8402EDF7B2FF84340F18C13AD465AB698EB399A5ACB40
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD0A50 Relevance: 41.7, Strings: 33, Instructions: 481COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq
                                                                                                • API String ID: 0-2401176310
                                                                                                • Opcode ID: 401dabee2e3acef5ce1e9ce13722c9a7fe82e0c2ea5be43386181054ea406443
                                                                                                • Instruction ID: 68bd8a5ce14440749580219ac5634948d08e1c0da90fc95e30e2c51cbcdab7f7
                                                                                                • Opcode Fuzzy Hash: 401dabee2e3acef5ce1e9ce13722c9a7fe82e0c2ea5be43386181054ea406443
                                                                                                • Instruction Fuzzy Hash: 27224A75A0024A8FCB55EF74E994AAE77F2FF41204F54856DC009AB365DF30A9889F81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD0A60 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq
                                                                                                • API String ID: 0-2401176310
                                                                                                • Opcode ID: 9ab6d0e804c3127c9acaafb9e219e84fc790c0eceba7d05c20b9bfc793bdc349
                                                                                                • Instruction ID: d74d48dea361ba562be517090ba9dbf57c4941d8bcf5ec177667d3023d5ddb0d
                                                                                                • Opcode Fuzzy Hash: 9ab6d0e804c3127c9acaafb9e219e84fc790c0eceba7d05c20b9bfc793bdc349
                                                                                                • Instruction Fuzzy Hash: F4124975D0024A8FCB55EF64E994BAE77F2FF41204F50856DC009AB3A9DF30A9889F81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD4300 Relevance: 10.1, Strings: 8, Instructions: 84COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq
                                                                                                • API String ID: 0-3983707326
                                                                                                • Opcode ID: 967f6b7591076606c72ae3a6e036462672bb30384876240b5e68a78f41623750
                                                                                                • Instruction ID: 7762124b57982a6b57af7677090c73dad7bbb0824b50de4ef0fff4e38073acf0
                                                                                                • Opcode Fuzzy Hash: 967f6b7591076606c72ae3a6e036462672bb30384876240b5e68a78f41623750
                                                                                                • Instruction Fuzzy Hash: 1D316071D0424E9FCB06EFA4EA50AEEBBF2FF45204B508579C0456B369DF302D098B92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 03DD4310 Relevance: 10.1, Strings: 8, Instructions: 78COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2452602109.0000000003DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03DD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_3dd0000_XMLSAT++.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq$$'bq
                                                                                                • API String ID: 0-3983707326
                                                                                                • Opcode ID: ec03b64dd79070bca1593f6eb7f2364a448c5d232edbdc193757d0239efbeb68
                                                                                                • Instruction ID: f11d0dde37a342ba64c23f9a2d12c840b620a95ca867a1e5b36e40cdafdaaeb3
                                                                                                • Opcode Fuzzy Hash: ec03b64dd79070bca1593f6eb7f2364a448c5d232edbdc193757d0239efbeb68
                                                                                                • Instruction Fuzzy Hash: 77310875E0414E9FCB45EFA4EA50AAEB7F2FB85204B508579C0056B3A9DF306D098B92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%