Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1431124
MD5:d41582bde613bd63caffa80f482e692b
SHA1:d1ccf0f0f4224e4daa412c868729977cddec079e
SHA256:212f5fb634003890f2b61ade6d3bf474e16787e3f536f0484a2a23f55d562bf0
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D41582BDE613BD63CAFFA80F482E692B)
    • RegAsm.exe (PID: 7416 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 7500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 340 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.65.96:28380", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.1601803658.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 7364JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.file.exe.af0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:04/24/24-16:03:03.712042
                    SID:2046045
                    Source Port:49708
                    Destination Port:28380
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-16:03:04.020691
                    SID:2043234
                    Source Port:28380
                    Destination Port:49708
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-16:03:20.610356
                    SID:2043231
                    Source Port:49708
                    Destination Port:28380
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-16:03:09.394447
                    SID:2046056
                    Source Port:28380
                    Destination Port:49708
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.65.96:28380", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                    Multi AV Scanner detection for submitted file
                    Source: file.exeReversingLabs: Detection: 21%
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\fkva7st\Body.pdb source: file.exe
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8961E FindFirstFileExW,0_2_00B8961E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B89B02 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00B89B02
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0705CA5Bh2_2_0705C798
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0705C45Fh2_2_0705BD00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0705EE60h2_2_0705E968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0705ABB3h2_2_0705A980
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07051635h2_2_07051614
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07050735h2_2_07050359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07050735h2_2_07050368

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.8:49708 -> 5.42.65.96:28380
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.8:49708 -> 5.42.65.96:28380
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 5.42.65.96:28380 -> 192.168.2.8:49708
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 5.42.65.96:28380 -> 192.168.2.8:49708
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 5.42.65.96:28380
                    Source: global trafficTCP traffic: 192.168.2.8:49708 -> 5.42.65.96:28380
                    Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                    Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                    Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                    Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: file.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                    Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: file.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: RegAsm.exe, 00000002.00000002.1602805701.00000000012AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adp/1.0/X8
                    Source: RegAsm.exe, 00000002.00000002.1602805701.00000000012AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.exif/1
                    Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
                    Source: file.exeString found in binary or memory: http://ocsp.digicert.com0C
                    Source: file.exeString found in binary or memory: http://ocsp.digicert.com0H
                    Source: file.exeString found in binary or memory: http://ocsp.digicert.com0I
                    Source: file.exeString found in binary or memory: http://ocsp.digicert.com0X
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                    Source: file.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: file.exe, file.exe, 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.1601803658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: file.exeString found in binary or memory: https://www.digicert.com/CPS0
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp4943.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp4973.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B3C9180_2_00B3C918
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5CA520_2_00B5CA52
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5CE6C0_2_00B5CE6C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5D2980_2_00B5D298
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5D6B20_2_00B5D6B2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5DB230_2_00B5DB23
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5DFA70_2_00B5DFA7
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B360010_2_00B36001
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B360010_2_00B36001
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B724F00_2_00B724F0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8E43A0_2_00B8E43A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5E4180_2_00B5E418
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9267F0_2_00B9267F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1A7B10_2_00B1A7B1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1A7B10_2_00B1A7B1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5E8560_2_00B5E856
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7E92B0_2_00B7E92B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B769730_2_00B76973
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B72B600_2_00B72B60
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5ECA70_2_00B5ECA7
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B769730_2_00B76973
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6EECB0_2_00B6EECB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B730A00_2_00B730A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5F0E50_2_00B5F0E5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B769730_2_00B76973
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5F60E0_2_00B5F60E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF26710_2_00AF2671
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7F82B0_2_00B7F82B
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5FB4A0_2_00B5FB4A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6FC600_2_00B6FC60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0129DC742_2_0129DC74
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_068367D82_2_068367D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0683A3E82_2_0683A3E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06833F502_2_06833F50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0683A3D82_2_0683A3D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06836FE82_2_06836FE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06836FF82_2_06836FF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0705B3302_2_0705B330
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0705D1D82_2_0705D1D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0705BD002_2_0705BD00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0705E9682_2_0705E968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_070516B82_2_070516B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_070516C82_2_070516C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_070586D12_2_070586D1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_070586E02_2_070586E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_070503592_2_07050359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_070503682_2_07050368
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_070509682_2_07050968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7A7A82_2_07B7A7A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B765982_2_07B76598
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B715F82_2_07B715F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7A3002_2_07B7A300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7DC382_2_07B7DC38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7FA582_2_07B7FA58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B708B02_2_07B708B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7E5582_2_07B7E558
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7E5492_2_07B7E549
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7FA492_2_07B7FA49
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B81CDC appears 38 times
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AF3094 appears 56 times
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AF2266 appears 49 times
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AF5263 appears 37 times
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 340
                    Source: file.exeStatic PE information: invalid certificate
                    Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                    Source: file.exe, 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBeaufin.exe8 vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/10@0/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7364
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp4943.tmpJump to behavior
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegAsm.exe, 00000002.00000002.1606358652.0000000004367000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: file.exeReversingLabs: Detection: 21%
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 340
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.2.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: file.exeStatic file information: File size 1247856 > 1048576
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\fkva7st\Body.pdb source: file.exe
                    Source: file.exeStatic PE information: section name: .00cfg
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF2207 push ecx; ret 0_2_00B34113
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06813838 push eax; iretd 2_2_06814309
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_068142FC push eax; iretd 2_2_06814309
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0683E060 push es; ret 2_2_0683E070
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0683ECF2 push eax; ret 2_2_0683ED01
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07056320 pushfd ; ret 2_2_0705632D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7F7B0 push es; iretd 2_2_07B7F7B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7F773 push es; iretd 2_2_07B7F77A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7F770 push es; iretd 2_2_07B7F772
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7A20C push FFFFFF8Bh; iretd 2_2_07B7A20E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7A260 push FFFFFF8Bh; iretd 2_2_07B7A262
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B7F82B push es; iretd 2_2_07B7F832

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2214Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeAPI coverage: 0.7 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8048Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8961E FindFirstFileExW,0_2_00B8961E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B89B02 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00B89B02
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.5.drBinary or memory string: VMware
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                    Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                    Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                    Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                    Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                    Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                    Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                    Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                    Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                    Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                    Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                    Source: RegAsm.exe, 00000002.00000002.1613600947.000000000583A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: RegAsm.exe, 00000002.00000002.1606358652.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                    Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                    Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                    Source: RegAsm.exe, 00000002.00000002.1603564573.000000000326E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0705D1D8 LdrInitializeThunk,2_2_0705D1D8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B88EA7 IsDebuggerPresent,0_2_00B88EA7
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C0BA mov eax, dword ptr fs:[00000030h]0_2_00B8C0BA
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C1D1 mov eax, dword ptr fs:[00000030h]0_2_00B8C1D1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C10D mov eax, dword ptr fs:[00000030h]0_2_00B8C10D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C160 mov eax, dword ptr fs:[00000030h]0_2_00B8C160
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C2C4 mov eax, dword ptr fs:[00000030h]0_2_00B8C2C4
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C3AB mov eax, dword ptr fs:[00000030h]0_2_00B8C3AB
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C319 mov eax, dword ptr fs:[00000030h]0_2_00B8C319
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8C36E mov eax, dword ptr fs:[00000030h]0_2_00B8C36E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B79C27 mov ecx, dword ptr fs:[00000030h]0_2_00B79C27
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B34166 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B34166
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B44F55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B44F55
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B33DBA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B33DBA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C7A008Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B33937 cpuid 0_2_00B33937
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_00B0CB3F
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B81573
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B81762
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00B822BD
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,0_2_00B325C2
                    Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00B8EB32
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B8EEFD
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B8EE7B
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00B8EFBE
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00B8F06B
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00B8F352
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00B8F4C5
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00B8F60C
                    Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00B8F70E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8230B GetSystemTimeAsFileTime,0_2_00B8230B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1601803658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7416, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7416, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1601803658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7416, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		311
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory251
                    Security Software Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                    Process Injection                    		NTDS251
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                    Obfuscated Files or Information                    		Cached Domain Credentials2
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Install Root Certificate                    		DCSync134
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe21%ReversingLabsWin32.Infostealer.Kysler
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://ns.exif/10%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://ns.adp/1.0/X80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000003152000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id8RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id5RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ns.exif/1RegAsm.exe, 00000002.00000002.1602805701.00000000012AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.1603564573.0000000003026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.ip.sb/ipfile.exe, file.exe, 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.1601803658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id20RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id21RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id22RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id23RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id24RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.1603564573.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000003550000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://ns.adp/1.0/X8RegAsm.exe, 00000002.00000002.1602805701.00000000012AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id14RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id15RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id16RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id17RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id18RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id19RegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000002.00000002.1603564573.0000000003152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000002.00000002.1603564573.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            5.42.65.96
                                                                                                                            		unknownRussian Federation
                                                                                                                            		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1431124
                                                                                                                            Start date and time:2024-04-24 16:02:06 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 6m 8s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:13
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:file.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@4/10@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 95%
                                                                                                                            • Number of executed functions: 93
                                                                                                                            • Number of non-executed functions: 71
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                                                                                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                            • VT rate limit hit for: file.exe

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            16:03:04API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                            16:03:18API Interceptor14x Sleep call for process: RegAsm.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            5.42.65.96file.exeGet hashmaliciousRedLineBrowse
                                                                                                                              file.exeGet hashmaliciousRedLineBrowse

                                                                                                                                Domains

                                                                                                                                No context

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfile.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 5.42.66.10
                                                                                                                                file.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                • 5.42.66.10
                                                                                                                                file.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Vidar, zgRATBrowse
                                                                                                                                • 5.42.66.10
                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 5.42.65.96
                                                                                                                                c3nBx2HQG2.exeGet hashmaliciousGlupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                • 5.42.66.10
                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 5.42.65.96
                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 5.42.65.50
                                                                                                                                HwJWf67Y5h.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 5.42.65.50
                                                                                                                                8xFzJWrEIa.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                                                                • 5.42.65.50
                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 5.42.65.50

                                                                                                                                JA3 Fingerprints

                                                                                                                                No context

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_6d3b4d56c06fb8741b78b289cb3fee72d597ad_79d846d8_aa5aeb45-8592-43d1-9e07-5f4a14f9e4c5\Report.wer

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):0.7018787693027856
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:vsGODvv6PlF0ooj9T3jPzzuiFYZ24IO8TSB:Z86Nmooj5jLzuiFYY4IO8e
                                                                                                                                MD5:7155DB38959B8402DD5289B61B62B9E7
                                                                                                                                SHA1:7992E5EC0BE424C2775DB3EAA53703B3A968562E
                                                                                                                                SHA-256:ED2A09C73930A63736875DF5B4D00B0ACF5B9D9A54AD54BD57BD8C4B6B50896A
                                                                                                                                SHA-512:64F1261394E8A39D811B270FCDF2282FFDDED771F15F2730413796689729FEEB6A2FE13565C06F8E86FEC4670DE49BDAABC9040305D925E847428E08B877B9F0
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.4.0.9.7.8.4.1.3.3.4.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.4.0.9.7.9.0.6.9.6.0.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.5.a.e.b.4.5.-.8.5.9.2.-.4.3.d.1.-.9.e.0.7.-.5.f.4.a.1.4.f.9.e.4.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.b.6.d.1.9.9.-.5.f.a.0.-.4.2.f.f.-.b.a.a.1.-.3.6.8.6.9.a.b.7.8.5.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.c.4.-.0.0.0.1.-.0.0.1.4.-.f.b.e.4.-.9.d.1.b.5.0.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.1.c.c.f.0.f.0.f.4.2.2.4.e.4.d.a.a.4.1.2.c.8.6.8.7.2.9.9.7.7.c.d.d.e.c.0.7.9.e.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4.

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER480A.tmp.dmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Mini DuMP crash report, 14 streams, Wed Apr 24 14:02:58 2024, 0x1205a4 type
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):36894
                                                                                                                                Entropy (8bit):1.8062351089806965
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:5t8HUE36sPiYn01pLw/Jgz4ti7qiTB7yu0KpBXOsLXp8ltIWIkWIzIIPXrbSydCR:0ucvtO1yu1HUlNrbSydCgS
                                                                                                                                MD5:AFA8DA384FFDBAF515F57C86DB13E4F9
                                                                                                                                SHA1:A3E71CA057FF910AE1A3342FB83470257D8CEE25
                                                                                                                                SHA-256:354D2869DCA5FD093CD3724BA49C9AC54F4B9686D6179D4B9F71C1B2751B7B12
                                                                                                                                SHA-512:4A95DDB9632DFE3A613089F21F46BE787528BA0819281CCD7C3B02B53F276619CE7A74C21DDA9200C240533E176CCD78304F6E7DE355F745FB394DF433F27538
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:MDMP..a..... .........)f....................................................T.......8...........T...........H..............`...........L...............................................................................eJ..............GenuineIntel............T.............)f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4953.tmp.WERInternalMetadata.xml

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8338
                                                                                                                                Entropy (8bit):3.6977546540656934
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:R6l7wVeJiCDb6/K+6YSgSUSxgmfBZJjCprRN89bOHsf086m:R6lXJlb6C+6YVSUSxgmf/JjsqOMfJ
                                                                                                                                MD5:70A6410475ED4FA6C44EEBB86852F047
                                                                                                                                SHA1:4200737EEB49C65721BA9CC2B20C16D3DCEFA29D
                                                                                                                                SHA-256:3ADEBF91FE6ACB620EEDED7AA7AA42EC0338D3051AD2CE2A606D6C6685D2DD4B
                                                                                                                                SHA-512:A85D7662664BE378C4E842074655218B8AE1F2CA95792A45A188D3493D2798A2EB33597CEAD4B63851C68F7FDA35189847E2530A48E0188523EA3E11F7DE7ACE
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.4.<./.P.i.

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A2.tmp.xml

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):4605
                                                                                                                                Entropy (8bit):4.485537321409701
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:cvIwWl8zsqJg77aI9adOOWpW8VY0uYm8M4JlNFPUQ+q8ruJRRxd:uIjf4I7wdOv7V/HJtUQBJbxd
                                                                                                                                MD5:DB93A0F41B527609C332B72A56B8CEBF
                                                                                                                                SHA1:1319374043B38E647D3330F0F3F6511453878F8D
                                                                                                                                SHA-256:859D9C2637EE719EB9C191EE186202B567E6529E93F26AEB9154E1578FD87466
                                                                                                                                SHA-512:2B445004EAE6D62C94F60097F8BD8733F7E9DB3FACAA469BEC37A31D54B8743DCCFB7B60E0BE02E02B4BF67CB0E892A7726E00A639615E5AB03F33D38E72DD06
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294065" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 07:36:24 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2104
                                                                                                                                Entropy (8bit):3.463381479709602
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:8SeS0dYTcl4KARYrnvPdAKRkdAGdAKRFdAKR1:8SeS7c
                                                                                                                                MD5:39BF3FD9BA5F4BC992FF1724919710EF
                                                                                                                                SHA1:646E0C35AE9A2220DBFE8D9A6586EB4E85830448
                                                                                                                                SHA-256:29D176EBA506EEFF45B73E6C99BCD4B6BD0F5EA467544CF05B85068F3D35D2BE
                                                                                                                                SHA-512:7FD75D528AFCC894C186E562418F26B86DE61AE7B4C03F4B76D36343C50E2DDEDDD8EC2457BFEF442E75AA9263E9461099A78AC89260A24081C92D7A6D1055F2
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:L..................F.@.. ......,......1.g......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.IEWqD....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW+B....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VEW+B....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VEW @..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VEW.D..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):3274
                                                                                                                                Entropy (8bit):5.3318368586986695
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                Malicious:false
                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp4943.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2662
                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                Malicious:false
                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp4973.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2662
                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                Malicious:false
                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2251
                                                                                                                                Entropy (8bit):0.0
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3::
                                                                                                                                MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                Malicious:false
                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1835008
                                                                                                                                Entropy (8bit):4.371931238476679
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:bFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNoiL:hV1QyWWI/glMM6kF7Wq
                                                                                                                                MD5:75BB9250ED5E499E329CD838506F2B8A
                                                                                                                                SHA1:2BA956EAD404B705127FCCC45AA355BD219480DD
                                                                                                                                SHA-256:65874E36C4989FA9575586083C4B0EF022974A88DA09B4F0242DAAE8FDF1171A
                                                                                                                                SHA-512:48F6F9E1721DDC7BC91B4B8C325A0A82C633ED8C6E51776E620F3734422582F8BB572A412B3BEAAE0236FA85C40E3704E686215546E2DCA70D1760A56B406C95
                                                                                                                                Malicious:false
                                                                                                                                Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...P...............................................................................................................................................................................................................................................................................................................................................0..(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Entropy (8bit):6.517660696473407
                                                                                                                                TrID:
                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                File name:file.exe
                                                                                                                                File size:1'247'856 bytes
                                                                                                                                MD5:d41582bde613bd63caffa80f482e692b
                                                                                                                                SHA1:d1ccf0f0f4224e4daa412c868729977cddec079e
                                                                                                                                SHA256:212f5fb634003890f2b61ade6d3bf474e16787e3f536f0484a2a23f55d562bf0
                                                                                                                                SHA512:37defa103178d6e281a62f5cc221380f687740cfcf268c24dbeb7bf1c320fbb94be26ce74234b717cafe5f0c74b527ebf8c063fa4c49594174b68e2753e1474d
                                                                                                                                SSDEEP:12288:FCRMXFhAS3ocOaKANlQWE4goVyevmV/HSgrouJoz7ZyCwLvsTC/pSiAF1XcwJJSH:FCROhAS3onZANlQWEwtvEPg7SITCCXC
                                                                                                                                TLSH:0D45BF2179849076EDF710BB43ECBA3A82ADE4B0071456CF16D857EED7606C27F32686
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9.N|W.N|W.N|W...T.E|W...R..|W...S.[|W...S.\|W...T.Z|W...V.K|W.N|V..|W...R..|W...R.O|W...U.O|W.RichN|W........................

                                                                                                                                File Icon

                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x4011cc
                                                                                                                                Entrypoint Section:.text
                                                                                                                                Digitally signed:true
                                                                                                                                Imagebase:0x400000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                Time Stamp:0x6628F260 [Wed Apr 24 11:52:00 2024 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:6
                                                                                                                                OS Version Minor:0
                                                                                                                                File Version Major:6
                                                                                                                                File Version Minor:0
                                                                                                                                Subsystem Version Major:6
                                                                                                                                Subsystem Version Minor:0
                                                                                                                                Import Hash:6ba3dc6c76522b49c5ecdb4d22c4531e

                                                                                                                                Authenticode Signature

                                                                                                                                Signature Valid:false
                                                                                                                                Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                Error Number:-2146869232
                                                                                                                                Not Before, Not After
                                                                                                                                • 08/10/2020 02:00:00 12/10/2023 14:00:00
                                                                                                                                Subject Chain
                                                                                                                                • CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
                                                                                                                                Version:3
                                                                                                                                Thumbprint MD5:332CDC164B1324C3FF3F64E228C5FFFC
                                                                                                                                Thumbprint SHA-1:CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13
                                                                                                                                Thumbprint SHA-256:531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943
                                                                                                                                Serial:0C9838F673F9B1CCE395CFAB2B6684E4

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                jmp 00007F2C808F18B1h
                                                                                                                                jmp 00007F2C8090ADCDh
                                                                                                                                jmp 00007F2C808F0E48h
                                                                                                                                jmp 00007F2C808F9E45h
                                                                                                                                jmp 00007F2C808E4BEBh
                                                                                                                                jmp 00007F2C808D027Bh
                                                                                                                                jmp 00007F2C80950E76h
                                                                                                                                jmp 00007F2C808E50E7h
                                                                                                                                jmp 00007F2C8090BB8Dh
                                                                                                                                jmp 00007F2C80959220h
                                                                                                                                jmp 00007F2C808CB327h
                                                                                                                                jmp 00007F2C808F29F5h
                                                                                                                                jmp 00007F2C808C9DD6h
                                                                                                                                jmp 00007F2C80902972h
                                                                                                                                jmp 00007F2C808DDFE6h
                                                                                                                                jmp 00007F2C808C36C9h
                                                                                                                                jmp 00007F2C80928773h
                                                                                                                                jmp 00007F2C808CD896h
                                                                                                                                jmp 00007F2C80945C7Eh
                                                                                                                                jmp 00007F2C808C2E85h
                                                                                                                                jmp 00007F2C809062DEh
                                                                                                                                jmp 00007F2C80922D2Ch
                                                                                                                                jmp 00007F2C808E1E9Ch
                                                                                                                                jmp 00007F2C80914374h
                                                                                                                                jmp 00007F2C808EC5B8h
                                                                                                                                jmp 00007F2C808FAA0Fh
                                                                                                                                jmp 00007F2C808C5922h
                                                                                                                                jmp 00007F2C8091EB3Bh
                                                                                                                                jmp 00007F2C80953BDFh
                                                                                                                                jmp 00007F2C808DC34Bh
                                                                                                                                jmp 00007F2C808F2E62h
                                                                                                                                jmp 00007F2C8092873Eh
                                                                                                                                jmp 00007F2C8094E174h
                                                                                                                                jmp 00007F2C80940EDAh
                                                                                                                                jmp 00007F2C8093B1F4h
                                                                                                                                jmp 00007F2C808DE4E0h
                                                                                                                                jmp 00007F2C808FA92Ch
                                                                                                                                jmp 00007F2C80913B53h
                                                                                                                                jmp 00007F2C80913B3Ah
                                                                                                                                jmp 00007F2C808F0E92h

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x12b2000x3c.idata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x12e4000x2670.reloc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x12d0000x4854.reloc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xc2c500x38.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc2b680x40.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x12b0000x200.idata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x10000xb4e640xb50006a947f979f3512e6e306e5e98a4ac31fFalse0.3331211153314917data5.824030626477386IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                .rdata0xb60000x14af40x14c0077c5d2aeff1724db79a61477e7df260fFalse0.2868034638554217data3.6974700234552698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .data0xcb0000x5f6a80x5dc0043980dc7abfb2890b8c04aa9360570c2False0.8165963541666666data7.235349059592442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .idata0x12b0000xc8a0xe00489b179975194f61bd8385884c1c69ccFalse0.326171875data4.377193612236256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .00cfg0x12c0000x10e0x200693e92a66f79b6cd96671abbe1debf1cFalse0.03515625data0.11055713125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .reloc0x12d0000x56860x58009148375b01293d1794b3aab431c86cddFalse0.6258877840909091data5.961284730381873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                SHELL32.dllDragFinish
                                                                                                                                KERNEL32.dllLoadLibraryExW, CreateFileW, VirtualProtectEx, FormatMessageA, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LocalFree, GetLocaleInfoEx, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, HeapSize, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, WriteConsoleW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapAlloc, HeapFree, GetFileType, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, SetConsoleCtrlHandler, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW

                                                                                                                                Network Behavior

                                                                                                                                Snort IDS Alerts

                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                04/24/24-16:03:03.712042TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970828380192.168.2.85.42.65.96
                                                                                                                                04/24/24-16:03:04.020691TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response28380497085.42.65.96192.168.2.8
                                                                                                                                04/24/24-16:03:20.610356TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970828380192.168.2.85.42.65.96
                                                                                                                                04/24/24-16:03:09.394447TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)28380497085.42.65.96192.168.2.8

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Apr 24, 2024 16:03:02.861430883 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:03.171375036 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:03.171519041 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:03.181700945 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:03.489490986 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:03.531907082 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:03.712042093 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:04.020690918 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:04.063169003 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:09.083549023 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:09.394447088 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:09.394536018 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:09.394555092 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:09.394598007 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:09.394612074 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:09.394630909 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:09.394659996 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:09.438203096 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:09.535922050 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:09.844185114 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:09.891314983 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:10.203418970 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:10.514398098 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:10.519805908 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:10.827500105 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:10.875713110 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:10.927542925 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:11.238607883 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:11.242440939 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:11.553519011 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:11.594456911 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:11.627471924 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:11.934631109 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:11.934658051 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:11.934777975 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:11.934884071 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:11.934990883 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:12.242125988 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:12.242183924 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:12.242794991 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:12.244000912 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:12.297625065 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:12.538466930 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:12.846460104 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:12.858882904 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:13.170628071 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:13.219453096 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:14.315344095 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:14.623130083 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:14.629441977 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:14.937326908 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:14.938801050 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:15.250406981 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:15.252897978 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:15.560117960 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:15.567352057 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:15.874423981 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:15.874778986 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:15.874885082 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:15.875557899 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:15.880350113 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.191975117 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.235065937 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.297883987 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.605685949 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.605783939 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.606206894 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.606268883 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.606313944 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.607116938 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.607131004 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.607268095 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.912842989 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.912859917 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.912981987 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.912981987 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.913063049 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.913273096 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.913511038 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.913594007 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.913606882 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.913997889 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.914190054 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.914244890 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:16.914328098 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.914530039 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.914592981 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:16.914890051 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.219479084 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.222924948 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.222945929 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.223323107 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.223404884 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.223583937 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.223936081 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.224159002 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.224284887 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.224605083 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.224782944 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.224957943 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.225122929 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.225661993 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.225831985 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.226133108 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.226149082 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.226425886 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.226732016 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.226747036 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.226859093 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.227171898 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.227416992 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.227497101 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.526494026 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.530368090 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.530702114 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.530745029 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.530761003 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.530999899 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.531232119 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.531250000 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.531369925 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.531891108 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.531982899 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.534280062 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.534297943 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.534476995 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.534660101 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.535073996 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.535104036 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.535239935 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.535372972 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.535387993 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.535527945 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.535841942 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.535907984 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.841958046 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842070103 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842174053 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842189074 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842204094 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842219114 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842233896 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842248917 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842262030 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842278004 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842554092 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842592955 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.842664957 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.842690945 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.842926979 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.843019962 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.843178988 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.843468904 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.843586922 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.843601942 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.843760967 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.843993902 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:17.845216036 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:17.845302105 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:18.149844885 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.149863958 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.149944067 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.150124073 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.150378942 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.150444031 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.150667906 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.150749922 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.151114941 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.151261091 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.151638031 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:18.151818037 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:18.154953003 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.154990911 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.155172110 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.155342102 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.155356884 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.155549049 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.155565023 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.155772924 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.155859947 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.156318903 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.156333923 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.156445026 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.157710075 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.158387899 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.158694029 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:18.459074974 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.459614992 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.459635019 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.459853888 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.460405111 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.460421085 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.460437059 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.460452080 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.461194038 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.461641073 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.461657047 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.461672068 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.461993933 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.462333918 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.462349892 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.462831020 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.463274002 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.463290930 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.464008093 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.466059923 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.466079950 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.466097116 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.466232061 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.466461897 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.466521978 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.466996908 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.467293978 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.467309952 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.467458010 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.467530966 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.468019009 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.468035936 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.468652964 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.468669891 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.468686104 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.470551014 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.516364098 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:18.533143044 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:18.845861912 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:18.891375065 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:18.958978891 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:19.269968987 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:19.313249111 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:19.975172997 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:20.284686089 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:20.285327911 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:20.594238043 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:20.610356092 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:20.922388077 CEST28380497085.42.65.96192.168.2.8
                                                                                                                                Apr 24, 2024 16:03:20.969506025 CEST4970828380192.168.2.85.42.65.96
                                                                                                                                Apr 24, 2024 16:03:20.981715918 CEST4970828380192.168.2.85.42.65.96

                                                                                                                                Statistics

                                                                                                                                CPU Usage

                                                                                                                                Click to jump to process

                                                                                                                                Memory Usage

                                                                                                                                Click to jump to process

                                                                                                                                High Level Behavior Distribution

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Target ID:0
                                                                                                                                Start time:16:02:56
                                                                                                                                Start date:24/04/2024
                                                                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                Imagebase:0xaf0000
                                                                                                                                File size:1'247'856 bytes
                                                                                                                                MD5 hash:D41582BDE613BD63CAFFA80F482E692B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                Reputation:low
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:2
                                                                                                                                Start time:16:02:56
                                                                                                                                Start date:24/04/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                Imagebase:0xb10000
                                                                                                                                File size:65'440 bytes
                                                                                                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1601803658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1603564573.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:5
                                                                                                                                Start time:16:02:57
                                                                                                                                Start date:24/04/2024
                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 340
                                                                                                                                Imagebase:0xd90000
                                                                                                                                File size:483'680 bytes
                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                Disassembly

                                                                                                                                Reset < >

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:0.1%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:0%
                                                                                                                                  Total number of Nodes:6
                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                  execution_graph 50305 b09210 50306 b0923e 50305->50306 50307 b092c1 VirtualProtectEx 50306->50307 50308 b092ee 50307->50308 50309 b0931a GlobalFree 50308->50309 50310 b09326 50309->50310

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00B09210 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • VirtualProtectEx.KERNELBASE(000000FF,00C07018,000004AC,00000040,?,?), ref: 00B092D9
                                                                                                                                  • GlobalFree.KERNELBASE(00000000), ref: 00B0931B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeGlobalProtectVirtual
                                                                                                                                  • String ID: A$O
                                                                                                                                  • API String ID: 2969745934-2576515906
                                                                                                                                  • Opcode ID: 8ec3702cc4e2381b8d1384a990c10c0dab9301a5adf19195b89b68c298fd26c3
                                                                                                                                  • Instruction ID: 16162aa111d6d6cdec03383e57985256dc6de51b840a29d5e96349ca4237debc
                                                                                                                                  • Opcode Fuzzy Hash: 8ec3702cc4e2381b8d1384a990c10c0dab9301a5adf19195b89b68c298fd26c3
                                                                                                                                  • Instruction Fuzzy Hash: 5D412971E08308ABDB04AFA4CD02BFEB7A4FF5A310F048354FA14671D2EB70AA948750
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 00B8F4C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1342 b8f4c5-b8f4d2 1343 b8f4d8-b8f4dd 1342->1343 1344 b8f576-b8f58f GetLocaleInfoW 1342->1344 1343->1344 1347 b8f4e3-b8f4e8 1343->1347 1345 b8f591-b8f593 1344->1345 1346 b8f595-b8f59a 1344->1346 1348 b8f5a2-b8f5a5 1345->1348 1346->1348 1349 b8f59c GetACP 1346->1349 1350 b8f4ea-b8f4f0 1347->1350 1349->1348 1351 b8f510-b8f512 1350->1351 1352 b8f4f2-b8f4f5 1350->1352 1353 b8f515-b8f517 1351->1353 1354 b8f50c-b8f50e 1352->1354 1355 b8f4f7-b8f4ff 1352->1355 1353->1344 1357 b8f519-b8f51e 1353->1357 1354->1353 1355->1351 1356 b8f501-b8f50a 1355->1356 1356->1350 1356->1354 1358 b8f520-b8f526 1357->1358 1359 b8f528-b8f52b 1358->1359 1360 b8f544-b8f546 1358->1360 1361 b8f549-b8f54b 1359->1361 1362 b8f52d-b8f535 1359->1362 1360->1361 1364 b8f56d-b8f574 call af58c6 1361->1364 1365 b8f54d-b8f566 GetLocaleInfoW 1361->1365 1362->1360 1363 b8f537-b8f540 1362->1363 1363->1358 1366 b8f542 1363->1366 1364->1348 1365->1345 1367 b8f568-b8f56b 1365->1367 1366->1361 1367->1348
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00B8F55E
                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00B8F587
                                                                                                                                  • GetACP.KERNEL32 ref: 00B8F59C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                                  • Opcode ID: 94143a529444b9846e6327d17e33f0581cb0e8c3a5a8f9dc6377d29b854c0dc7
                                                                                                                                  • Instruction ID: 32ae94ab98ec8ecb4e4904bd9fb00969eef7455cfcb36e7dcff690945efbbe9a
                                                                                                                                  • Opcode Fuzzy Hash: 94143a529444b9846e6327d17e33f0581cb0e8c3a5a8f9dc6377d29b854c0dc7
                                                                                                                                  • Instruction Fuzzy Hash: 0E216062B00103AADB34AF55D905BFB73E6EB74B60B5684B4E90AD7120F732DE40C750
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8F70E Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1498 b8f70e-b8f764 call af4269 * 2 1503 b8f785-b8f78c 1498->1503 1504 b8f766-b8f769 1498->1504 1506 b8f7fc-b8f800 1503->1506 1507 b8f78e-b8f791 1503->1507 1504->1503 1505 b8f76b-b8f783 call b8f695 1504->1505 1505->1503 1510 b8f802-b8f805 1506->1510 1511 b8f813-b8f823 GetUserDefaultLCID 1506->1511 1507->1506 1509 b8f793-b8f797 1507->1509 1513 b8f7a9-b8f7ad call b8efbe 1509->1513 1514 b8f799-b8f79c 1509->1514 1510->1511 1515 b8f807-b8f811 call b8ee7b 1510->1515 1516 b8f826 1511->1516 1524 b8f7b2-b8f7b7 1513->1524 1514->1513 1518 b8f79e-b8f7a7 call b8eefd 1514->1518 1515->1516 1517 b8f828-b8f82c 1516->1517 1521 b8f82e 1517->1521 1522 b8f841-b8f85d call b8f4c5 1517->1522 1518->1524 1526 b8f830-b8f83e call af303a 1521->1526 1522->1521 1536 b8f85f-b8f86b IsValidCodePage 1522->1536 1529 b8f7bd-b8f7d6 call b8f695 1524->1529 1530 b8f83f 1524->1530 1529->1516 1537 b8f7d8-b8f7de 1529->1537 1530->1522 1536->1521 1538 b8f86d-b8f87a IsValidLocale 1536->1538 1539 b8f7f0-b8f7f4 call b8efbe 1537->1539 1540 b8f7e0-b8f7e3 1537->1540 1538->1521 1541 b8f87c-b8f881 1538->1541 1547 b8f7f9-b8f7fa 1539->1547 1540->1539 1542 b8f7e5-b8f7ee call b8eefd 1540->1542 1544 b8f883 1541->1544 1545 b8f885-b8f89b call af4e17 1541->1545 1542->1547 1544->1545 1551 b8f8fb-b8f8fe 1545->1551 1552 b8f89d-b8f8c2 call af4e17 GetLocaleInfoW 1545->1552 1547->1517 1551->1526 1552->1521 1555 b8f8c8-b8f8e1 GetLocaleInfoW 1552->1555 1555->1521 1556 b8f8e7-b8f8f8 call af439f 1555->1556 1556->1551
                                                                                                                                  APIs
                                                                                                                                  • GetUserDefaultLCID.KERNEL32 ref: 00B8F81A
                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00B8F863
                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00B8F872
                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00B8F8BA
                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00B8F8D9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Locale$InfoValid$CodeDefaultPageUser
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3475089800-0
                                                                                                                                  • Opcode ID: a0d3bebacd865d0272be2acf3c6f7917cac5157c7d3c514fc963445d5d087d17
                                                                                                                                  • Instruction ID: cb886afb0c74efc87dac7233b537ac3bb2510fe6574321d87bb6dc33ee86d475
                                                                                                                                  • Opcode Fuzzy Hash: a0d3bebacd865d0272be2acf3c6f7917cac5157c7d3c514fc963445d5d087d17
                                                                                                                                  • Instruction Fuzzy Hash: B3514D75A0020BABEB20EFA5DD41ABE77F8FF49700F1444B9A914EB160EB709D44CB61
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B9267F Relevance: 7.4, Strings: 4, Instructions: 2437COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                  • API String ID: 0-2761157908
                                                                                                                                  • Opcode ID: f864881716714226555d90089c7a9c42b4f0d48722844a9da10d8d28f706c38a
                                                                                                                                  • Instruction ID: ba100c67c08aa2c5b6438dca9078d4c3d760973d6e3acb161669f066551b8ec7
                                                                                                                                  • Opcode Fuzzy Hash: f864881716714226555d90089c7a9c42b4f0d48722844a9da10d8d28f706c38a
                                                                                                                                  • Instruction Fuzzy Hash: 26D20672E082299BDF65CF28DD80BEAB7F5EB45304F1441EAD44DA7240DB78AE858F41
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8EB32 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1958 b8eb32-b8eb6f call af4269 1961 b8eb71-b8eb83 call b8eaaa 1958->1961 1962 b8eb85-b8eb89 1958->1962 1961->1962 1964 b8eb8b-b8eb90 1962->1964 1965 b8ebd2 call b8e223 1962->1965 1967 b8eb99 call b8e38a 1964->1967 1968 b8eb92-b8eb97 call b8e2cb 1964->1968 1972 b8ebd7 1965->1972 1973 b8eb9e-b8eba4 1967->1973 1968->1973 1975 b8ebd8-b8ebdd 1972->1975 1973->1975 1978 b8eba6-b8ebb8 call b8eaaa 1973->1978 1976 b8ed19 1975->1976 1977 b8ebe3-b8ebec 1975->1977 1982 b8ed1b-b8ed1f 1976->1982 1979 b8ebfb-b8ec03 call b8e8c0 1977->1979 1980 b8ebee-b8ebf1 1977->1980 1978->1975 1988 b8ebba-b8ebc2 1978->1988 1986 b8ec04-b8ec08 1979->1986 1980->1979 1983 b8ebf3-b8ebf9 GetACP 1980->1983 1983->1986 1986->1976 1991 b8ec0e-b8ec14 1986->1991 1989 b8ebcb-b8ebd0 call b8e38a 1988->1989 1990 b8ebc4-b8ebc9 call b8e2cb 1988->1990 1989->1972 1990->1972 1991->1976 1993 b8ec1a-b8ec26 IsValidCodePage 1991->1993 1993->1976 1996 b8ec2c-b8ec31 1993->1996 1998 b8ec33 1996->1998 1999 b8ec35-b8ec3a 1996->1999 1998->1999 2000 b8ec40-b8ec4e 1999->2000 2001 b8ed14-b8ed17 1999->2001 2002 b8ec51-b8ec5b 2000->2002 2001->1982 2002->2002 2003 b8ec5d-b8ec75 call af5939 2002->2003 2006 b8ec7b-b8ec8b call af4665 2003->2006 2007 b8ed20-b8ee07 call af35b2 call af4269 * 2 call b8f45c GetLocaleInfoW 2003->2007 2006->1976 2012 b8ec91-b8ecad call af4665 2006->2012 2024 b8ee09-b8ee0c 2007->2024 2025 b8ee0e-b8ee21 call af3689 2007->2025 2012->1976 2019 b8ecaf-b8ecbb call af4f52 2012->2019 2026 b8eccb-b8ecde call af4665 2019->2026 2027 b8ecbd-b8ecc9 call af4f52 2019->2027 2028 b8ee41-b8ee4f call af303a 2024->2028 2037 b8ee23-b8ee2c call b8f5de 2025->2037 2038 b8ee37-b8ee3e 2025->2038 2026->1976 2036 b8ece0-b8ecec 2026->2036 2027->2026 2027->2036 2040 b8ecee-b8ed02 call af5939 2036->2040 2041 b8ed06-b8ed11 call af439f 2036->2041 2037->2038 2048 b8ee2e-b8ee34 2037->2048 2038->2028 2040->2007 2049 b8ed04 2040->2049 2041->2001 2048->2038 2049->2001
                                                                                                                                  APIs
                                                                                                                                  • GetACP.KERNEL32 ref: 00B8EBF3
                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00B8EC1E
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00B8EDFF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CodeInfoLocalePageValid
                                                                                                                                  • String ID: utf8
                                                                                                                                  • API String ID: 790303815-905460609
                                                                                                                                  • Opcode ID: 5b2ec3d0b3945d253b0f9a165ad1f4ef641b397affaebe3c5d283275f7e7f2eb
                                                                                                                                  • Instruction ID: aed39da4ed98de1d6070d8465baec6887db68b094952ec8d7aa34780d7d7357b
                                                                                                                                  • Opcode Fuzzy Hash: 5b2ec3d0b3945d253b0f9a165ad1f4ef641b397affaebe3c5d283275f7e7f2eb
                                                                                                                                  • Instruction Fuzzy Hash: 3071E831A00206AAEB24BB75CC86BBB73E8EF49704F1444B9F625D71A1EB74ED44C761
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B89B02 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00B89B9D
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00B89C18
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B89C3A
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B89C5D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1164774033-0
                                                                                                                                  • Opcode ID: 44b764e80664495309c0358e7e403db2fb76309119db6c0257a68b163ea20acd
                                                                                                                                  • Instruction ID: 7b82277c90ae6a1390a57682c1b00b8d962f98cfbdbbe75e05a66741e6898de6
                                                                                                                                  • Opcode Fuzzy Hash: 44b764e80664495309c0358e7e403db2fb76309119db6c0257a68b163ea20acd
                                                                                                                                  • Instruction Fuzzy Hash: 67419271900129AEDF20FF64DD89ABEB7F9EB85314F1881D5E405D71A4EA309E80CF64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B33DBA Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00B33DC6
                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00B33E92
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B33EAB
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00B33EB5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 254469556-0
                                                                                                                                  • Opcode ID: cd33e4acb943fa7f0b8f8b5e49c3de4f75f810ce58964b4a9ef3ff83ab0eb025
                                                                                                                                  • Instruction ID: 0cbc938edb77d98cea419b002f7a808b2da30ef02e5c2a546c358691b3a87b85
                                                                                                                                  • Opcode Fuzzy Hash: cd33e4acb943fa7f0b8f8b5e49c3de4f75f810ce58964b4a9ef3ff83ab0eb025
                                                                                                                                  • Instruction Fuzzy Hash: 8731E7B5D0122D9ADB20DFA4D9497CEBBF8BF08700F1041AAE50CAB250EB719B85CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B0CB3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 00B0CB53
                                                                                                                                  • FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 00B0CB7A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FormatInfoLocaleMessage
                                                                                                                                  • String ID: !x-sys-default-locale
                                                                                                                                  • API String ID: 4235545615-2729719199
                                                                                                                                  • Opcode ID: b356e6cce51fb8e73da57a34b20cfa5a77bd68cee55685b7bb472825746791e1
                                                                                                                                  • Instruction ID: 4baeef90941351a41054abc36e6c35d2663b464c1c37cd43cd385726a0546a2f
                                                                                                                                  • Opcode Fuzzy Hash: b356e6cce51fb8e73da57a34b20cfa5a77bd68cee55685b7bb472825746791e1
                                                                                                                                  • Instruction Fuzzy Hash: 4FF030B6615108FFEB149B94DC4AEEF7BACEF0D790F108155B601D6090E6B0AE009B70
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8F06B Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B8F0BF
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B8F109
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B8F1CF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                  • Opcode ID: df6184691a01d2c444165337520105c649a769fdbfcff8c468c3111b778204fb
                                                                                                                                  • Instruction ID: acf2b03b6571ecb78d13c82545afb6148609690f21e4c97bf321072489d38f57
                                                                                                                                  • Opcode Fuzzy Hash: df6184691a01d2c444165337520105c649a769fdbfcff8c468c3111b778204fb
                                                                                                                                  • Instruction Fuzzy Hash: B3619E7565020BDFEB28AF24CD86BBA77E8EF08300F1041B9F915D62A5E774D991CB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B44F55 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00B4504D
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B45057
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00B45064
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                  • Opcode ID: aaac114ae09c687c443a3f05e6f5eb125666a228ece7cad12220294b3516b18f
                                                                                                                                  • Instruction ID: f6202d11b23bfed0794d28d3f8e166586390dabe8f543656c97a062bc03e8417
                                                                                                                                  • Opcode Fuzzy Hash: aaac114ae09c687c443a3f05e6f5eb125666a228ece7cad12220294b3516b18f
                                                                                                                                  • Instruction Fuzzy Hash: C231B2B590122D9BCF21DF64D989BDDBBB8BF08310F5041EAE51CA6261EB709F858F44
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B3C918 Relevance: 2.5, Strings: 1, Instructions: 1201COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: /
                                                                                                                                  • API String ID: 0-2043925204
                                                                                                                                  • Opcode ID: 252522127a04f0c1b6dd27c0d39b97e9e18abd37716278ae2b8ebfa5b1a26ec4
                                                                                                                                  • Instruction ID: fd588850e7a0dff02e22cc13b7282eac510552f985f3cb395c8c3621f30a84e1
                                                                                                                                  • Opcode Fuzzy Hash: 252522127a04f0c1b6dd27c0d39b97e9e18abd37716278ae2b8ebfa5b1a26ec4
                                                                                                                                  • Instruction Fuzzy Hash: 1D925DB2E106199BDB14DFE8DD95BEEB7E4EB14300F244179F612E7280EB78D9098B50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8961E Relevance: 1.8, APIs: 1, Instructions: 280COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: c53e9b6a1927892761064b9302be1508b5ce03582b24fd29eb7bec43bd75895a
                                                                                                                                  • Instruction ID: 44439e022d4016b121acb4b11cd13b460741c0905f698ea0f20119d0d288a8a4
                                                                                                                                  • Opcode Fuzzy Hash: c53e9b6a1927892761064b9302be1508b5ce03582b24fd29eb7bec43bd75895a
                                                                                                                                  • Instruction Fuzzy Hash: EF51917580421DAFDF24EFA9CC89ABAB7B9EF45304F1842D9F519D3211EA319E44CB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B7E92B Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?), ref: 00B7EB58
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                  • Opcode ID: 59b70ca86fa833ec579d20beb8bffb4de5af853d3b9dae61e1f32163e0709624
                                                                                                                                  • Instruction ID: b469e30ad5da2b9a538853852164cd963c94e7ffca02d9688c502f0af75ad8fe
                                                                                                                                  • Opcode Fuzzy Hash: 59b70ca86fa833ec579d20beb8bffb4de5af853d3b9dae61e1f32163e0709624
                                                                                                                                  • Instruction Fuzzy Hash: E0B1F7356106089FD715CF28C486A657BE0FF49365F29C6D8E8AACF2A1C335E991CB40
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B33937 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B3394D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2325560087-0
                                                                                                                                  • Opcode ID: a815e87ec5c46c6d01f879ad94717d4b70703ab1fbcf8c175f6ed46698870f5e
                                                                                                                                  • Instruction ID: fffb28dee4d867c373685ee85b66f91f7106034eba4d5e9e897c2eaf962d90cc
                                                                                                                                  • Opcode Fuzzy Hash: a815e87ec5c46c6d01f879ad94717d4b70703ab1fbcf8c175f6ed46698870f5e
                                                                                                                                  • Instruction Fuzzy Hash: 245188B1A052058FEB24CF99D8857AFBBF0FB48714F2485AAD405EB350D7759A44CF50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5F60E Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: 6526200c4ad8968004e833d70e281e482f83cd8c28c3d35f57fb4e1f3d71c0cd
                                                                                                                                  • Instruction ID: e59f931f5ba7f4e5d765c609028001253b2db35d1f6ca3ca767d319912c665da
                                                                                                                                  • Opcode Fuzzy Hash: 6526200c4ad8968004e833d70e281e482f83cd8c28c3d35f57fb4e1f3d71c0cd
                                                                                                                                  • Instruction Fuzzy Hash: 77E16C74A00A068FCB24CF68C580BBAF7F1FF49315F2446E9D9569B2A1D730AD4ACB51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5F0E5 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: cfe8ed4726655f592e8e8fae26bb37639b655a6d2811443e5da6b5a546246c57
                                                                                                                                  • Instruction ID: d5481d8c84b2a06a1a8ae83812737d2079d85072d9a21934a0030c1efde5a072
                                                                                                                                  • Opcode Fuzzy Hash: cfe8ed4726655f592e8e8fae26bb37639b655a6d2811443e5da6b5a546246c57
                                                                                                                                  • Instruction Fuzzy Hash: 9BE18B74A00A06CFCB24DF68C584B7AF7F1FF49311B2446E9E956AB290D731AD4ACB11
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5FB4A Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: 52d9fc8929e5fa7fc1a47ac88233a2a82fcd37bd58d203c2bf65fd9245319b43
                                                                                                                                  • Instruction ID: 091d40bfced3b21ea91c48818c6da2fe096b231b2ab4c67ac821c4ee748089a7
                                                                                                                                  • Opcode Fuzzy Hash: 52d9fc8929e5fa7fc1a47ac88233a2a82fcd37bd58d203c2bf65fd9245319b43
                                                                                                                                  • Instruction Fuzzy Hash: 77E19C3060060A8FCB24CF68C580BBAF7F2FF49315B244AF9E9569B691D730AD49CB51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5DB23 Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: 77296e87823eb43b569ad22484bee8dda3128262f88ca0f428da15444fce21a4
                                                                                                                                  • Instruction ID: 48730cb732b15996fff65d6a42ea4ce162926c2730a6f15db96113422529e326
                                                                                                                                  • Opcode Fuzzy Hash: 77296e87823eb43b569ad22484bee8dda3128262f88ca0f428da15444fce21a4
                                                                                                                                  • Instruction Fuzzy Hash: 2BC1BA70A0064A8FCB38DF68C5817BAB7F2EF45312F2447D9E9529B291C770A949CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5D6B2 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: 8bf3fdb8682f6226de10dee6276af790baec6fa2d516e3778a0207c28f42d3f3
                                                                                                                                  • Instruction ID: b604f2e3ba9deac1bb801d39e71ce04cb35342b8d9e27d8bfdbac825f9fa106c
                                                                                                                                  • Opcode Fuzzy Hash: 8bf3fdb8682f6226de10dee6276af790baec6fa2d516e3778a0207c28f42d3f3
                                                                                                                                  • Instruction Fuzzy Hash: 27C1CC34A0064A8FCB39CF68C49077AB7F1EF09312F2447D9D9569B291D730AD49CB51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5DFA7 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: 781942790ca956ae8614e1f7b2f9bd1cd041f5ca551dac8a5f5c18c55d1d5007
                                                                                                                                  • Instruction ID: bbdf23533efff3aa4abc552d6f408e38a394b8cf8e9a30414641ab7d6f5446da
                                                                                                                                  • Opcode Fuzzy Hash: 781942790ca956ae8614e1f7b2f9bd1cd041f5ca551dac8a5f5c18c55d1d5007
                                                                                                                                  • Instruction Fuzzy Hash: F1C10170900A068FCB2DCF68C59677AB7F1EB05302F1846D9ECA69B291C771EE49CB51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8F352 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B8F3A6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                  • Opcode ID: 9aeb633639f9b7345db5c92f30f643f095bde1135b7d163635ebbb6e36a19a38
                                                                                                                                  • Instruction ID: 1e6890c5ba42f352ac4789e1ad445f645ac9a9acde64f50aec36fdca56abe4ed
                                                                                                                                  • Opcode Fuzzy Hash: 9aeb633639f9b7345db5c92f30f643f095bde1135b7d163635ebbb6e36a19a38
                                                                                                                                  • Instruction Fuzzy Hash: 1721C272610207ABDF28AB65DD42ABB33E8EF44310F1440BAFE01C6251EB74ED01CB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5E856 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: 755dce6d45c090f4a66a76362fa0a6fe3706a36196eebe86ace35b02e59af94c
                                                                                                                                  • Instruction ID: 9f56ca0f66be8e0e075bc4a5c681ed2edc76ebe18d3f3c8097facf0cec5ef131
                                                                                                                                  • Opcode Fuzzy Hash: 755dce6d45c090f4a66a76362fa0a6fe3706a36196eebe86ace35b02e59af94c
                                                                                                                                  • Instruction Fuzzy Hash: 7AB19170A0060A8BDF2CDFA8C5807BEB7F5FF44312B1045D9E9A6A7690D630EE49CB55
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5E418 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: c39bd340af6fb7ef534a9ac924e47a7e2d0e4386ab875075ec9d0577dff74566
                                                                                                                                  • Instruction ID: 57bc63835f6b53bbc63293a2fb6393e455447d27dd229cc7ca9319a61135ea2f
                                                                                                                                  • Opcode Fuzzy Hash: c39bd340af6fb7ef534a9ac924e47a7e2d0e4386ab875075ec9d0577dff74566
                                                                                                                                  • Instruction Fuzzy Hash: D3B1B370A006198ACB2CCF98C580BBEB7F1EF58305F1049D9E966A7750E730EE4ACB51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5ECA7 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: 2697e7b34b7f4c87a226b924b30b91f6d0fd132ee49d2fb6c20ad6dc87cee9ca
                                                                                                                                  • Instruction ID: 77911ff98f480dc791e469c3949d8543f4fd7c662197d8372a7ed82b744d1ed3
                                                                                                                                  • Opcode Fuzzy Hash: 2697e7b34b7f4c87a226b924b30b91f6d0fd132ee49d2fb6c20ad6dc87cee9ca
                                                                                                                                  • Instruction Fuzzy Hash: A2B1913190070A8BDB2CDF68C5857BEB7F1EF44305B1445E9E966AB290DB30EE4ACB51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5CE6C Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: d2bcf494e3b1ee57fbc9542efd7bb95a9a602895d85dfb05f2e011b822ef74c5
                                                                                                                                  • Instruction ID: 5e7056cfedaca1a3449f6f913bd0be9196e644ab768b1feea9c57f8d2fc6b2fc
                                                                                                                                  • Opcode Fuzzy Hash: d2bcf494e3b1ee57fbc9542efd7bb95a9a602895d85dfb05f2e011b822ef74c5
                                                                                                                                  • Instruction Fuzzy Hash: 14B1C27190074A9FCB34CE68C5917BEBBE2EB04306F1406DAED52A7291C735AD4ECB51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5CA52 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: eaf3b6166d3715e3dee19ef1c39eb93cc68c909823fbd25d5084a45f8c4237af
                                                                                                                                  • Instruction ID: 55012be3259fc6d4cbeb41236d1b172ba3144b1c0876ef05d8bab2ba1fa39399
                                                                                                                                  • Opcode Fuzzy Hash: eaf3b6166d3715e3dee19ef1c39eb93cc68c909823fbd25d5084a45f8c4237af
                                                                                                                                  • Instruction Fuzzy Hash: DCB1BF7090070E8FCB24CEA885957BEBFF2EB44302F1446EAED56D7291C6319D49CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B5D298 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                  • Opcode ID: 74ae9129b3e2a8cf77e3eeaedef2f96d39153e47ad5c6b7b93cd476b0a8ceb79
                                                                                                                                  • Instruction ID: 22d44b396e591c47ffbc7e94d51ff53f809d8b771534fa7c54f37d52dc96dcc6
                                                                                                                                  • Opcode Fuzzy Hash: 74ae9129b3e2a8cf77e3eeaedef2f96d39153e47ad5c6b7b93cd476b0a8ceb79
                                                                                                                                  • Instruction Fuzzy Hash: 05B1C0B090064A8BCB34CFA8C5917BEB7E1EB14306F140BDAED92D7291D731E949CB56
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8EEFD Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00B8F06B,00000001), ref: 00B8EF6F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumLocalesSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2099609381-0
                                                                                                                                  • Opcode ID: b8380aca04468f1e04f8d2a7736f2e9ddcc8449289f365e67940a32fcfdab051
                                                                                                                                  • Instruction ID: ae4bb1ddbaf625c711cd0e18100dcb8b6a8294d8068efc68ed7ac2ed37a50e8b
                                                                                                                                  • Opcode Fuzzy Hash: b8380aca04468f1e04f8d2a7736f2e9ddcc8449289f365e67940a32fcfdab051
                                                                                                                                  • Instruction Fuzzy Hash: 6C1129362047059FEB18AF79C8A56BABBD1FF84358B15443CEA8687A50D371A802C740
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B88EA7 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00B88EAE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DebuggerPresent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1347740429-0
                                                                                                                                  • Opcode ID: 8475072d1695776bc0330b190e526861f470939a52364709f3cef3b727d1208b
                                                                                                                                  • Instruction ID: b07ba9517cdea66b420d22c9f89b945ddd11bd117cd70bb9ffe590b703932e53
                                                                                                                                  • Opcode Fuzzy Hash: 8475072d1695776bc0330b190e526861f470939a52364709f3cef3b727d1208b
                                                                                                                                  • Instruction Fuzzy Hash: DBF0D17100121EABDE217AD18E42BBB2A8AEF063A1F540841FB059A121CF20C801D7B1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8F60C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B8F287,00000000,00000000,?), ref: 00B8F638
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                  • Opcode ID: 9344bd5fb4f5eb02e45a61b518907eeed547cdbaeb121af7678a10ed76cd812c
                                                                                                                                  • Instruction ID: 517ecb8ec09fd9a856f38a81099a9497ddb53c333692bac69dc835b2c7a8776e
                                                                                                                                  • Opcode Fuzzy Hash: 9344bd5fb4f5eb02e45a61b518907eeed547cdbaeb121af7678a10ed76cd812c
                                                                                                                                  • Instruction Fuzzy Hash: 35F0F932600113FBDF286AA5C809BBB7798EF40754F0546B9ED15A31A4FA74FE01C790
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8EFBE Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00B8F352,00000001), ref: 00B8F008
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumLocalesSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2099609381-0
                                                                                                                                  • Opcode ID: f05cf44849a6cf4819847e01aeb568813980f0fd7eb29a2a0c8a5ff2f3757a53
                                                                                                                                  • Instruction ID: 080b87b0e34bb22c4aae4e4179348d07dcc4f4dbaad39b8c7632357b95c58099
                                                                                                                                  • Opcode Fuzzy Hash: f05cf44849a6cf4819847e01aeb568813980f0fd7eb29a2a0c8a5ff2f3757a53
                                                                                                                                  • Instruction Fuzzy Hash: CCF022363003096FEB246F759881A7A7BD1FB80368B19407DFA054B6A0C6719C02DB10
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B81573 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(Function_0009155D,00000001,00BB9E40,0000000C), ref: 00B815AB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumLocalesSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2099609381-0
                                                                                                                                  • Opcode ID: 3dbd97d8f1dff11eab8531ffdcc56b702a7bdde2310527e80dd976eb9c16edbc
                                                                                                                                  • Instruction ID: 6b0a2d3bab7c1f6bbad45b0c275694642b12f802d35117380deb127cdd1afa20
                                                                                                                                  • Opcode Fuzzy Hash: 3dbd97d8f1dff11eab8531ffdcc56b702a7bdde2310527e80dd976eb9c16edbc
                                                                                                                                  • Instruction Fuzzy Hash: 8BF03772A052089FDB00EFA8E806BED77E0FB59721F10816AF5019B2A0CBB59904DF41
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B325C2 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002), ref: 00B325DB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                  • Opcode ID: 471bc1a6e84efdbe157c6a200e5d6878ab3784ab35944935d9cecdb54f1545de
                                                                                                                                  • Instruction ID: 492ccb743cf1c5e59ff9629ee8cf68ca3e3ca42eccd3beb36d96949eb8a053c9
                                                                                                                                  • Opcode Fuzzy Hash: 471bc1a6e84efdbe157c6a200e5d6878ab3784ab35944935d9cecdb54f1545de
                                                                                                                                  • Instruction Fuzzy Hash: 70E0D873294204B6DB09DBBCAE1FF6B76E8EB0574AF2081C0F502E50D1D6B0CB00A551
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8EE7B Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00B8EDAB,00000001), ref: 00B8EEB2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumLocalesSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2099609381-0
                                                                                                                                  • Opcode ID: e44e8966dcfb1f2ccad783161546ebdf9c1650724d8df400fee39c8d3a02dcfe
                                                                                                                                  • Instruction ID: 794ff81b1bbc4eec3733fba0afb678c9d84413355c0218bd35cf9812b6e9ff02
                                                                                                                                  • Opcode Fuzzy Hash: e44e8966dcfb1f2ccad783161546ebdf9c1650724d8df400fee39c8d3a02dcfe
                                                                                                                                  • Instruction Fuzzy Hash: 76F0A03630020997CB04AB76D8596AA7F94EBC5711B0640A9EA158B260C671D942C750
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B822BD Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?), ref: 00B822F1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoLocale
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                  • Opcode ID: 08e3ef65d4e19fd9a81075e48edd403d701f581fc9b6e41b772caf79ecb83f91
                                                                                                                                  • Instruction ID: 739f6719ee77c422c4f6187cbaecb05a2afdfac4cc7c6f87ddc2caf9c8d6612e
                                                                                                                                  • Opcode Fuzzy Hash: 08e3ef65d4e19fd9a81075e48edd403d701f581fc9b6e41b772caf79ecb83f91
                                                                                                                                  • Instruction Fuzzy Hash: B3E01A32500118BBCF123F61DC05BAE3A5AFF44750F014450FD1565121CB318921AB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B81762 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumSystemLocalesW.KERNEL32(Function_0009155D,00000001), ref: 00B8177C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumLocalesSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2099609381-0
                                                                                                                                  • Opcode ID: 31d208773c5532bda7c01d9b59fd2f026bba0ab75a5d3ff7d7a6efbb7f9061cc
                                                                                                                                  • Instruction ID: 91ce466da83f66f4448666aa705bac48443217f6e3326dd492c2a160ef62521a
                                                                                                                                  • Opcode Fuzzy Hash: 31d208773c5532bda7c01d9b59fd2f026bba0ab75a5d3ff7d7a6efbb7f9061cc
                                                                                                                                  • Instruction Fuzzy Hash: FBD0C731545348AFDB045F65FC0EBED3B65F796711B10C015F5190B270DAB19841DF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8230B Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: GetSystemTimePreciseAsFileTime
                                                                                                                                  • API String ID: 0-595813830
                                                                                                                                  • Opcode ID: a4708dac21b56885adb46b8fa3db25d8e5ca158b3d621e6d43315fd96c4379ad
                                                                                                                                  • Instruction ID: d771d7b4c47d14449fd9216600354a68e78302ed779c4dfc3881d8c1be7d7bbd
                                                                                                                                  • Opcode Fuzzy Hash: a4708dac21b56885adb46b8fa3db25d8e5ca158b3d621e6d43315fd96c4379ad
                                                                                                                                  • Instruction Fuzzy Hash: 32E0C2327C6239A7C21033856C06B9ABA84D762BB2F0440E2FA18751B0D6B18C11C6C5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8E43A Relevance: .6, Instructions: 558COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: f1f2439269a21c4a62715bf32fde93395c873b314b9818d28e8c93487433ebdb
                                                                                                                                  • Instruction ID: 175ff6c76a7f733388ea418eb9bc2d33cec04064388942ce50a2c313c228f20a
                                                                                                                                  • Opcode Fuzzy Hash: f1f2439269a21c4a62715bf32fde93395c873b314b9818d28e8c93487433ebdb
                                                                                                                                  • Instruction Fuzzy Hash: 90B116355007058BDB38AB64CC92AB7B3E9EF54308F0445ADEA53C6660FBB0E981C710
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B6EECB Relevance: .5, Instructions: 481COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 92c09fb36a86578612e936109de29baf85185dfa8fb91cf67dd5bbd5edbda6fb
                                                                                                                                  • Instruction ID: ead8ac2349e8f498cb502ed228cefb1444173b68670d69b07b3623224056453a
                                                                                                                                  • Opcode Fuzzy Hash: 92c09fb36a86578612e936109de29baf85185dfa8fb91cf67dd5bbd5edbda6fb
                                                                                                                                  • Instruction Fuzzy Hash: 0C123B71A002269FDF25CF58D881BBAB7F9FB46304F0440EAE949EB245D7749E818F91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B724F0 Relevance: .4, Instructions: 449COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: cca970a73247248ded8be12fe0ede624eff6902a29ea4c3c21ed041b84a28ed1
                                                                                                                                  • Instruction ID: fda8728eb43a4585910fdd14820224d99188e4fea8904f8b817ffd6d69be545d
                                                                                                                                  • Opcode Fuzzy Hash: cca970a73247248ded8be12fe0ede624eff6902a29ea4c3c21ed041b84a28ed1
                                                                                                                                  • Instruction Fuzzy Hash: AFF13071E002199FDF14CFA8D9806ADB7F1FF88314F1582A9E929A7381D7319E45CB90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AF2671 Relevance: .4, Instructions: 396COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: fe80f618eccfffabdbb84487666353019792eb4df2b5cd35edc8fc8309f3c250
                                                                                                                                  • Instruction ID: 37eea2b3e578bbfee302ca7ab4335409c64ed6132226ce75900c1386824f8b7f
                                                                                                                                  • Opcode Fuzzy Hash: fe80f618eccfffabdbb84487666353019792eb4df2b5cd35edc8fc8309f3c250
                                                                                                                                  • Instruction Fuzzy Hash: 0DA188729083449BC715DF28C940A2FFBE5FFC9740F444A5DF989A7291EB34EA408B92
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B730A0 Relevance: .4, Instructions: 386COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e30fa976a895f61a39410aedb3a355e875ffcc06774554d793fe89ab3396a3f9
                                                                                                                                  • Instruction ID: d84e6173035f13884f1058695c443f562c91441a6877dac869f7d2d44a45d899
                                                                                                                                  • Opcode Fuzzy Hash: e30fa976a895f61a39410aedb3a355e875ffcc06774554d793fe89ab3396a3f9
                                                                                                                                  • Instruction Fuzzy Hash: 10E14B71A002289FDB25DF58C881BAAB7F9FB46B04F1480EAD95DA7341D7319F819F81
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B7F82B Relevance: .3, Instructions: 337COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1f39ea33b9431a94842873bba9eee840336b9e542d46f08539ecaea2a8652464
                                                                                                                                  • Instruction ID: cbed1b0e684961177ece51c683eaf6141e0e34dab9fd5e7c9f3b66ad0675cdd1
                                                                                                                                  • Opcode Fuzzy Hash: 1f39ea33b9431a94842873bba9eee840336b9e542d46f08539ecaea2a8652464
                                                                                                                                  • Instruction Fuzzy Hash: 7DB124329042469FDB158F68C891BFEBBF5EF55310F14C1BAE929AB341D2349D01CBA5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B72B60 Relevance: .3, Instructions: 259COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 2e54870e5a2b1ed60425e4a8053187df859b43e7ad4cd8fdb6ed16bc219ced1a
                                                                                                                                  • Instruction ID: 8434f0f3bb1a68e127366c384cb367844a2da4694f732c4c8c84c7cb99dbb1c5
                                                                                                                                  • Opcode Fuzzy Hash: 2e54870e5a2b1ed60425e4a8053187df859b43e7ad4cd8fdb6ed16bc219ced1a
                                                                                                                                  • Instruction Fuzzy Hash: 26A13F71A001299BCB25DF18C881BEDB7F9FB89704F5580EAD91DA7245D7719E818F80
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B6FC60 Relevance: .2, Instructions: 158COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 727c3e4e85d85fac6c71e101ba82464d6309661b83e8073e0303406ba58a297f
                                                                                                                                  • Instruction ID: 53aaab9c6b5f97cefb3890fde0964e6053ab4272e0fb65988221048b39431b31
                                                                                                                                  • Opcode Fuzzy Hash: 727c3e4e85d85fac6c71e101ba82464d6309661b83e8073e0303406ba58a297f
                                                                                                                                  • Instruction Fuzzy Hash: 9F514372D0011AAFDF14CF99C981ABEBBB6EF84310F1980A9E915AB241D734AE51DB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8C3AB Relevance: .0, Instructions: 40COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 9709a51dcda79fa33bcb554c07c0e3e12b3b83b182096d31b142963fb3a03471
                                                                                                                                  • Instruction ID: 63b961958f9b269a06f91ddd24aa86834d8721fac60e72b64b7885cf63899320
                                                                                                                                  • Opcode Fuzzy Hash: 9709a51dcda79fa33bcb554c07c0e3e12b3b83b182096d31b142963fb3a03471
                                                                                                                                  • Instruction Fuzzy Hash: 46F0BBB2650220EBCB16EA5CD559B957BE8F74AB50F1584D1F201E72A0C6F0DE41C7D4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8C160 Relevance: .0, Instructions: 38COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 5965ec7a6bc0a41d44cfe4b81a89a8ddf9b249bbab5b09b236e47a21fdf4385c
                                                                                                                                  • Instruction ID: 1ec93a57c117662032b08207bcf14c96fe893c8c13bcaac2c9fb3ad85899c982
                                                                                                                                  • Opcode Fuzzy Hash: 5965ec7a6bc0a41d44cfe4b81a89a8ddf9b249bbab5b09b236e47a21fdf4385c
                                                                                                                                  • Instruction Fuzzy Hash: AEF06DB1640204EFDB05FE6CC9DCB547BE4EF46744F244491B109E72A2C270DE40D720
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8C2C4 Relevance: .0, Instructions: 29COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 4c34cd4ecfe509b3b2ba4fa3dbfe40dd23bc721ce7bc5acdae0adbfa74f995bd
                                                                                                                                  • Instruction ID: 40bbfb01d4c9a4810f217be90518a781f6147a799e90a04cb8637d2febcb40c7
                                                                                                                                  • Opcode Fuzzy Hash: 4c34cd4ecfe509b3b2ba4fa3dbfe40dd23bc721ce7bc5acdae0adbfa74f995bd
                                                                                                                                  • Instruction Fuzzy Hash: C8F030B2A16224EBCB26DB89C505B9973E8EB45B61F114096F542EB250C6B0DE40C7D0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8C319 Relevance: .0, Instructions: 29COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 83347452503855ae28c2dfdf676415e316e26101bc4ca6c0cf2fbe0eeeaadf9d
                                                                                                                                  • Instruction ID: c1b2ac98201291e9ce2ccfa2ec4dc06b23d1751c2b82388bb756bf4c06ebbb04
                                                                                                                                  • Opcode Fuzzy Hash: 83347452503855ae28c2dfdf676415e316e26101bc4ca6c0cf2fbe0eeeaadf9d
                                                                                                                                  • Instruction Fuzzy Hash: DBF039B1A11324ABCB26DB4CD905B99B7ECEB49B50F158096F501E7260C6B4EE81C7D1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8C0BA Relevance: .0, Instructions: 26COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d6a6aa245dc1e16fba03775712bb7255aeda087ce5f774c0dc306d3dc7d2d3ae
                                                                                                                                  • Instruction ID: 4db32c6bf2f3adde843c31622026489bc23e7ee767c484a6df8bee36e2ce031a
                                                                                                                                  • Opcode Fuzzy Hash: d6a6aa245dc1e16fba03775712bb7255aeda087ce5f774c0dc306d3dc7d2d3ae
                                                                                                                                  • Instruction Fuzzy Hash: 57E065B1612348EFCB0ACB69C644B4AB7E8EB49384F2080A8F40AD7660D334DE80CB11
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8C10D Relevance: .0, Instructions: 26COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: ad2e6ee2fa5999cae8abca64f1d2b6872f548fb9d8b66d11738723485fd74fbc
                                                                                                                                  • Instruction ID: d99b118b529a639eecd06f8a6069047751acf5a9ea677f591f996e89dbdd5362
                                                                                                                                  • Opcode Fuzzy Hash: ad2e6ee2fa5999cae8abca64f1d2b6872f548fb9d8b66d11738723485fd74fbc
                                                                                                                                  • Instruction Fuzzy Hash: 12E065B1601348EFCB19DB69CA88B49B7E9EB49344F2080A8F409D7261E334DE80CB10
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8C36E Relevance: .0, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1ef5de53d1dcd47e1777c4bcec7f1b74e5239bd0d096eeec7cfbe53e56215951
                                                                                                                                  • Instruction ID: 29e0ca710feeed80e53f67f93810290d38de302f1fbb1ab289e9d2846855f85d
                                                                                                                                  • Opcode Fuzzy Hash: 1ef5de53d1dcd47e1777c4bcec7f1b74e5239bd0d096eeec7cfbe53e56215951
                                                                                                                                  • Instruction Fuzzy Hash: B4E08C72911228EBCB14EBC8C90498AF7ECEB46B00B15809AF501E3110C270DE01C7E4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8C1D1 Relevance: .0, Instructions: 18COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 20e3536c2b146959e34d16781da7ec8895192a2aa47052009026efda122578fd
                                                                                                                                  • Instruction ID: 3d9a7c2ece43bdf989fe2d5e9b1edc45b2643719ee593f7aa29267ac4591030e
                                                                                                                                  • Opcode Fuzzy Hash: 20e3536c2b146959e34d16781da7ec8895192a2aa47052009026efda122578fd
                                                                                                                                  • Instruction Fuzzy Hash: 28E0E275911248EFCB04EBA8C589E4AB7F8EB48754F1188A4F405E7251D234EF80DA10
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B79C27 Relevance: .0, Instructions: 12COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 250aa52375e80b2e1787ee053931cdc6c0d70d8ccb2282c6be68dd0b4b2beb68
                                                                                                                                  • Instruction ID: 5488c9b81a9722c450c743d58ce1fbb1d9bb9a1db8dae3d0efc4742f68efbb2f
                                                                                                                                  • Opcode Fuzzy Hash: 250aa52375e80b2e1787ee053931cdc6c0d70d8ccb2282c6be68dd0b4b2beb68
                                                                                                                                  • Instruction Fuzzy Hash: 55C08CF4200D0047CE2E893083B13B437D4E3A1782F8804CCC51B4BA56D51E9C82D600
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B81BDF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 52 b81bdf-b81beb 53 b81c7d-b81c80 52->53 54 b81bf0-b81c01 53->54 55 b81c86 53->55 57 b81c0e-b81c27 LoadLibraryExW 54->57 58 b81c03-b81c06 54->58 56 b81c88-b81c8c 55->56 59 b81c29-b81c32 GetLastError 57->59 60 b81c8d-b81c9d 57->60 61 b81c0c 58->61 62 b81ca6-b81ca8 58->62 63 b81c6b-b81c78 59->63 64 b81c34-b81c46 call af5452 59->64 60->62 65 b81c9f-b81ca0 FreeLibrary 60->65 66 b81c7a 61->66 62->56 63->66 64->63 69 b81c48-b81c5a call af5452 64->69 65->62 66->53 69->63 72 b81c5c-b81c69 LoadLibraryExW 69->72 72->60 72->63
                                                                                                                                  APIs
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800), ref: 00B81CA0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                  • API String ID: 3664257935-537541572
                                                                                                                                  • Opcode ID: 97b7797b140718ccd45f875f6ddfef80ec244c1a8249a883a8dfbfd14fc192fd
                                                                                                                                  • Instruction ID: d6bb605d7fd9f99f73315918fb8db71f16fe6c672c3efc77d944882b788a5c21
                                                                                                                                  • Opcode Fuzzy Hash: 97b7797b140718ccd45f875f6ddfef80ec244c1a8249a883a8dfbfd14fc192fd
                                                                                                                                  • Instruction Fuzzy Hash: 59210B71A42214EBC721AB68DC80B6E37ACEB06360F150950F916AB2B0D770ED01CFD0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B3293B Relevance: 9.2, APIs: 6, Instructions: 225COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 659 b3293b-b32965 660 b32977-b3297a 659->660 661 b32967-b32975 call af27bb 659->661 663 b32980-b32985 660->663 664 b32b89 660->664 661->663 666 b32987-b32992 call af27bb 663->666 667 b32994-b32997 663->667 668 b32b8b-b32b9c call af303a 664->668 669 b3299d-b3299f 666->669 667->664 667->669 673 b329a1-b329a3 669->673 674 b329a9-b329ab 669->674 673->674 676 b32a47-b32a5d MultiByteToWideChar 673->676 677 b32ba3 674->677 678 b329b1-b329b4 674->678 676->664 681 b32a63-b32a6f 676->681 679 b329ba-b329bd 678->679 680 b32a3f-b32a42 678->680 682 b32a04-b32a07 679->682 683 b329bf-b329ce GetCPInfo 679->683 680->668 684 b32a75-b32a7a 681->684 685 b32b9d-b32ba1 681->685 682->668 683->664 687 b329d4-b329d6 683->687 688 b32a8f-b32a9a call af15af 684->688 689 b32a7c-b32a85 call af343b 684->689 686 b32b81-b32b84 call af3747 685->686 686->664 690 b329d8-b329dc 687->690 691 b32a0c-b32a0e 687->691 700 b32aa5-b32aaa 688->700 701 b32a9c 688->701 689->700 703 b32a87-b32a8d 689->703 690->682 696 b329de-b329e5 690->696 691->676 698 b32a10-b32a14 691->698 696->682 702 b329e7-b329ec 696->702 698->680 699 b32a16-b32a1d 698->699 699->680 704 b32a1f 699->704 700->686 706 b32ab0-b32ac5 MultiByteToWideChar 700->706 705 b32aa2 701->705 702->682 707 b329ee-b329f2 702->707 703->705 708 b32a22-b32a27 704->708 705->700 706->686 709 b32acb-b32ae4 MultiByteToWideChar 706->709 710 b329f4-b329f6 707->710 711 b329fc-b32a02 707->711 708->680 712 b32a29-b32a2d 708->712 709->686 713 b32aea-b32af6 709->713 710->677 710->711 711->682 711->702 714 b32a37-b32a3d 712->714 715 b32a2f-b32a31 712->715 716 b32b75 713->716 717 b32af8-b32afd 713->717 714->680 714->708 715->677 715->714 720 b32b79-b32b7c call af3747 716->720 718 b32b12-b32b1d call af15af 717->718 719 b32aff-b32b08 call af343b 717->719 727 b32b28-b32b2d 718->727 728 b32b1f 718->728 726 b32b0a-b32b10 719->726 719->727 720->686 729 b32b25 726->729 727->720 730 b32b2f-b32b44 MultiByteToWideChar 727->730 728->729 729->727 730->720 731 b32b46-b32b73 CompareStringEx call af3747 * 2 730->731 731->668
                                                                                                                                  APIs
                                                                                                                                  • GetCPInfo.KERNEL32(?,?), ref: 00B329C6
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B32A52
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B32ABD
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B32AD9
                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B32B3C
                                                                                                                                  • CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00B32B59
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide$CompareInfoString
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2984826149-0
                                                                                                                                  • Opcode ID: 249052a9f4d0ae92e56d11358daa676f37b826f7f9dab8e5d6e2a2395d1b8c88
                                                                                                                                  • Instruction ID: ab89727dbbad5a88cafea32f5e9e5937c0d25f6fb7ba0b87b50570403fb3ab5d
                                                                                                                                  • Opcode Fuzzy Hash: 249052a9f4d0ae92e56d11358daa676f37b826f7f9dab8e5d6e2a2395d1b8c88
                                                                                                                                  • Instruction Fuzzy Hash: C971A172D1029AABDF319FA4CC81BFEBBF5EF09720F254195E954A7190E7359C048B60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B12062 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1048 b12062-b1207a 1049 b12090-b120b8 MultiByteToWideChar 1048->1049 1050 b1207c-b1208c call af27bb 1048->1050 1052 b1221c-b1222d call af303a 1049->1052 1053 b120be-b120ca 1049->1053 1050->1049 1059 b1208e 1050->1059 1056 b120d0-b120d5 1053->1056 1057 b1220c 1053->1057 1061 b120d7-b120e0 call af343b 1056->1061 1062 b120ea-b120f5 call af15af 1056->1062 1058 b12210 1057->1058 1064 b12212-b1221a call af3747 1058->1064 1059->1049 1069 b12100-b12105 1061->1069 1070 b120e2-b120e8 1061->1070 1062->1069 1071 b120f7 1062->1071 1064->1052 1069->1058 1074 b1210b-b1211e MultiByteToWideChar 1069->1074 1073 b120fd 1070->1073 1071->1073 1073->1069 1074->1058 1075 b12124-b1213d LCMapStringEx 1074->1075 1075->1058 1076 b12143-b1214b 1075->1076 1077 b1217d-b12189 1076->1077 1078 b1214d-b12152 1076->1078 1080 b1218b-b1218d 1077->1080 1081 b121fe 1077->1081 1078->1064 1079 b12158-b1215a 1078->1079 1079->1064 1085 b12160-b12178 LCMapStringEx 1079->1085 1082 b121a2-b121ad call af15af 1080->1082 1083 b1218f-b12198 call af343b 1080->1083 1084 b12202-b1220a call af3747 1081->1084 1092 b121b8-b121bd 1082->1092 1094 b121af 1082->1094 1083->1092 1093 b1219a-b121a0 1083->1093 1084->1064 1085->1064 1092->1084 1096 b121bf-b121d9 LCMapStringEx 1092->1096 1095 b121b5 1093->1095 1094->1095 1095->1092 1096->1084 1097 b121db-b121e2 1096->1097 1098 b121e4-b121e6 1097->1098 1099 b121e8-b121eb 1097->1099 1100 b121ee-b121fc WideCharToMultiByte 1098->1100 1099->1100 1100->1084
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00B120AB
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 00B12116
                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B12133
                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B12172
                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00B121D1
                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B121F4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiStringWide
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2829165498-0
                                                                                                                                  • Opcode ID: d157968557a419896c94575f9e71b67abefd0676e9c868d29b09da19a168e33c
                                                                                                                                  • Instruction ID: 7cff6f939b2223ee1062ef261ef5035812057242ef0d7a10095b08c2a77b81dd
                                                                                                                                  • Opcode Fuzzy Hash: d157968557a419896c94575f9e71b67abefd0676e9c868d29b09da19a168e33c
                                                                                                                                  • Instruction Fuzzy Hash: 8351AEB250021ABBDF209FA0CC45FEF7BA9EF45740F918165FE15A6150D734CDA09BA0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B78123 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1311 b78123-b78133 call af2e9b 1314 b78227 1311->1314 1315 b78139-b7813b 1311->1315 1319 b7822d-b78282 call af35b2 1314->1319 1316 b7813d-b78144 1315->1316 1317 b7814a-b78167 call af3882 1315->1317 1316->1314 1316->1317 1317->1319 1322 b7816d-b7818d GetModuleFileNameW 1317->1322 1324 b781a6 1322->1324 1325 b7818f-b781a0 call af3882 1322->1325 1327 b781a9-b781b2 1324->1327 1325->1319 1325->1324 1327->1327 1329 b781b4-b781be 1327->1329 1330 b781e1-b781fc call af2b80 1329->1330 1331 b781c0-b781df call af5939 1329->1331 1330->1319 1336 b781fe-b7820e call af2b80 1330->1336 1331->1319 1331->1330 1336->1319 1339 b78210-b78226 call af1a2d 1336->1339
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,00C195F2,00000104), ref: 00B78180
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileModuleName
                                                                                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                  • API String ID: 514040917-4022980321
                                                                                                                                  • Opcode ID: 3bd00eb498a809d30c879dca95224f43264ac111d9b57f4cb058066f3b6d485f
                                                                                                                                  • Instruction ID: bef50367cb1c46330cc5b17ec8e3ad92294a43bb96269597fb74446843c3ac26
                                                                                                                                  • Opcode Fuzzy Hash: 3bd00eb498a809d30c879dca95224f43264ac111d9b57f4cb058066f3b6d485f
                                                                                                                                  • Instruction Fuzzy Hash: EE21A9B3A8020936DA216660AD4EFEB37DCDF87795F0040A1FD1DA6142FA60CB02C2D1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B79C51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1370 b79c51-b79c8e GetModuleHandleExW 1371 b79cb1-b79cb5 1370->1371 1372 b79c90-b79ca2 GetProcAddress 1370->1372 1373 b79cb7-b79cba FreeLibrary 1371->1373 1374 b79cc0-b79ccd 1371->1374 1372->1371 1375 b79ca4-b79caf 1372->1375 1373->1374 1375->1371
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C15490A3,?,?,00000000,00BA3C67,000000FF,?,00B79BB4,?,?,00B79B63,?), ref: 00B79C86
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B79C98
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00BA3C67,000000FF,?,00B79BB4,?,?,00B79B63,?), ref: 00B79CBA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                  • Opcode ID: 66ffc56698cc33adb450e6333a2be08885e122dd6619ed7148da8bd5420ef9d4
                                                                                                                                  • Instruction ID: ab86f2be40a435cf8b7b40841c9b02f83904a86e5bdcbfedf3b1a9f69cd118e7
                                                                                                                                  • Opcode Fuzzy Hash: 66ffc56698cc33adb450e6333a2be08885e122dd6619ed7148da8bd5420ef9d4
                                                                                                                                  • Instruction Fuzzy Hash: A7014F71944659EBDB128B54CC49BAEBBF9FB09B15F008665F821A22A0DB749900CB90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B81E12 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1377 b81e12-b81e29 LoadLibraryExW 1378 b81e2b-b81e34 GetLastError 1377->1378 1379 b81e73-b81e74 1377->1379 1380 b81e71 1378->1380 1381 b81e36-b81e4a call af5452 1378->1381 1380->1379 1381->1380 1384 b81e4c-b81e60 call af5452 1381->1384 1384->1380 1387 b81e62-b81e70 LoadLibraryExW 1384->1387
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00B81DAE), ref: 00B81E21
                                                                                                                                  • GetLastError.KERNEL32(?,00B81DAE), ref: 00B81E2B
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00B81E69
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                  • API String ID: 3177248105-537541572
                                                                                                                                  • Opcode ID: 1ec2fba016992d09ebfc60a718d7ae22fa245c84aea9bc7aa5d2f3bbfa133d38
                                                                                                                                  • Instruction ID: 5d278376cf8b365784b52e7aed16a42648a37ffa98371585bca8545fdfbb1160
                                                                                                                                  • Opcode Fuzzy Hash: 1ec2fba016992d09ebfc60a718d7ae22fa245c84aea9bc7aa5d2f3bbfa133d38
                                                                                                                                  • Instruction Fuzzy Hash: DDF0127068430CFBEF102B71DC06B6E3E99AB15B42F144860FE0DA40F1EB61D951CA54
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B97218 Relevance: 7.8, APIs: 5, Instructions: 298COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1388 b97218-b97228 1389 b9722a-b9723d call af1861 call af3931 1388->1389 1390 b97242-b97244 1388->1390 1406 b975b0 1389->1406 1392 b97598-b975a5 call af1861 call af3931 1390->1392 1393 b9724a-b97250 1390->1393 1411 b975ab call af36f2 1392->1411 1393->1392 1396 b97256-b97282 1393->1396 1396->1392 1399 b97288-b97291 1396->1399 1402 b972ab-b972ad 1399->1402 1403 b97293-b972a6 call af1861 call af3931 1399->1403 1404 b972b3-b972b7 1402->1404 1405 b97594-b97596 1402->1405 1403->1411 1404->1405 1409 b972bd-b972c1 1404->1409 1410 b975b3-b975b6 1405->1410 1406->1410 1409->1403 1413 b972c3-b972da 1409->1413 1411->1406 1416 b972dc-b972df 1413->1416 1417 b9731f-b97325 1413->1417 1421 b972ee-b972f4 1416->1421 1422 b972e1-b972e9 1416->1422 1419 b97327-b9732e 1417->1419 1420 b972f6-b9730d call af1861 call af3931 call af36f2 1417->1420 1423 b97330 1419->1423 1424 b97332-b97350 call af3f53 call af6195 * 2 1419->1424 1454 b974cb 1420->1454 1421->1420 1426 b97312-b9731d 1421->1426 1425 b9739f-b973b2 1422->1425 1423->1424 1459 b9736d-b97395 call af1938 1424->1459 1460 b97352-b97368 call af3931 call af1861 1424->1460 1429 b973b8-b973c4 1425->1429 1430 b9746e-b97477 call af64dd 1425->1430 1432 b9739c 1426->1432 1429->1430 1434 b973ca-b973cc 1429->1434 1444 b97479-b9748b 1430->1444 1445 b974e8 1430->1445 1432->1425 1434->1430 1438 b973d2-b973f3 1434->1438 1438->1430 1442 b973f5-b9740b 1438->1442 1442->1430 1448 b9740d-b9740f 1442->1448 1444->1445 1446 b9748d-b9749c GetConsoleMode 1444->1446 1450 b974ec-b97502 ReadFile 1445->1450 1446->1445 1451 b9749e-b974a2 1446->1451 1448->1430 1453 b97411-b97434 1448->1453 1455 b97560-b9756b GetLastError 1450->1455 1456 b97504-b9750a 1450->1456 1451->1450 1457 b974a4-b974bc ReadConsoleW 1451->1457 1453->1430 1461 b97436-b9744c 1453->1461 1458 b974ce-b974d8 call af6195 1454->1458 1462 b9756d-b9757f call af3931 call af1861 1455->1462 1463 b97584-b97587 1455->1463 1456->1455 1464 b9750c 1456->1464 1466 b974dd-b974e6 1457->1466 1467 b974be GetLastError 1457->1467 1458->1410 1459->1432 1460->1454 1461->1430 1472 b9744e-b97450 1461->1472 1462->1454 1468 b9758d-b9758f 1463->1468 1469 b974c4-b974ca call af49e4 1463->1469 1465 b9750f-b97521 1464->1465 1465->1458 1477 b97523-b97527 1465->1477 1466->1465 1467->1469 1468->1458 1469->1454 1472->1430 1481 b97452-b97469 1472->1481 1483 b97529-b97539 call b96e7a 1477->1483 1484 b97540-b9754d 1477->1484 1481->1430 1495 b9753c-b9753e 1483->1495 1489 b97559-b9755e call b96bef 1484->1489 1490 b9754f call b97026 1484->1490 1496 b97554-b97557 1489->1496 1490->1496 1495->1458 1496->1495
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a979085fcaf89b7ab84a69c9e76038cd4bdddc684ff374d4633210cd7fad7dbe
                                                                                                                                  • Instruction ID: 3dd89e3ca76831b8279aff581124ab473caa3a7fcb424d698e74cc62be088500
                                                                                                                                  • Opcode Fuzzy Hash: a979085fcaf89b7ab84a69c9e76038cd4bdddc684ff374d4633210cd7fad7dbe
                                                                                                                                  • Instruction Fuzzy Hash: E9B1B2B0A58249ABDF11DF99C881BBE7BF5FF45300F2481A5E9049B392DB709D42CB61
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B39AD0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00B39B07
                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00B39B98
                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00B39C18
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CookiesLocalValidate
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2268201637-1018135373
                                                                                                                                  • Opcode ID: 76cd8658b4d4759cd2688847a0aa4649565f733d954571ef808faf28e50ef1c0
                                                                                                                                  • Instruction ID: 012bea8b4c1597357debe280da494d17838da4c84fbc1cb9e95beccf767ea295
                                                                                                                                  • Opcode Fuzzy Hash: 76cd8658b4d4759cd2688847a0aa4649565f733d954571ef808faf28e50ef1c0
                                                                                                                                  • Instruction Fuzzy Hash: EC41D534900219EBCF10DF68D981AAEBBF5FF45364F2481D5F9149B392E7B1A901CB90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B4485A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00B4466C), ref: 00B44867
                                                                                                                                  • GetLastError.KERNEL32(?,00B4466C), ref: 00B44871
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00B44899
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                  • String ID: api-ms-
                                                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                                                  • Opcode ID: 2394e9dc0aa6e34cbc43ef67d21e2d29e207ce01a1148ec3aa8ca5c9fdf63184
                                                                                                                                  • Instruction ID: ee43a110a971b23c2be62ebbcc3da4c69fe005819290bbca35fee7665d98a3d1
                                                                                                                                  • Opcode Fuzzy Hash: 2394e9dc0aa6e34cbc43ef67d21e2d29e207ce01a1148ec3aa8ca5c9fdf63184
                                                                                                                                  • Instruction Fuzzy Hash: C7E0127064420CBBEF101BA0EC46B593B95BB15B45F104070F90CA44E0E7A1D9649944
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B851C4 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleOutputCP.KERNEL32(C15490A3), ref: 00B85227
                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B85482
                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B854CA
                                                                                                                                  • GetLastError.KERNEL32 ref: 00B8556D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                  • Opcode ID: 480ddf83178c111ae31e4895deb37dd630dbb7c9b71939fa9b6a536cfda584cd
                                                                                                                                  • Instruction ID: 63a0a1c024d93714b178289a591e9e62b8c761c3a318099ea213b3076eeb1969
                                                                                                                                  • Opcode Fuzzy Hash: 480ddf83178c111ae31e4895deb37dd630dbb7c9b71939fa9b6a536cfda584cd
                                                                                                                                  • Instruction Fuzzy Hash: E7D159B5D00658AFCB11DFA8D880AEDBBF5FF09310F18416AE856EB361D730A941CB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B8B49B Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00B8B4A3
                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B8B4DB
                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B8B4FB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnvironmentStrings$Free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3328510275-0
                                                                                                                                  • Opcode ID: 4eeb0b6f77ef8bdb1b047ac12d52f54bee72dd3693e706062e5fd198b919b54f
                                                                                                                                  • Instruction ID: 71bad4bc34ac66dbfbb0b2b631f7c24dd64cc0657b707863b86ddececfe88cf9
                                                                                                                                  • Opcode Fuzzy Hash: 4eeb0b6f77ef8bdb1b047ac12d52f54bee72dd3693e706062e5fd198b919b54f
                                                                                                                                  • Instruction Fuzzy Hash: 241126B29011197FA71137B15CDADFFA9ECDE9A3A43100164F902D6212FB60DE00C771
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B86D4C Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00B86D62
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00B86D6F
                                                                                                                                  • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00B86D95
                                                                                                                                  • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00B86DBB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FilePointer$ErrorLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 142388799-0
                                                                                                                                  • Opcode ID: 60b5e1bde85fc1ce7825262ca2a09dcc5c56aaaddf22ef500db28b3f0bace17f
                                                                                                                                  • Instruction ID: 7cbdc044a146340a09127c594f55779148a0888747e16e1b117af58c39eddf28
                                                                                                                                  • Opcode Fuzzy Hash: 60b5e1bde85fc1ce7825262ca2a09dcc5c56aaaddf22ef500db28b3f0bace17f
                                                                                                                                  • Instruction Fuzzy Hash: 53112771904218FBDF11AFA5DC48ADE7FB9FF05760F148195F824A61A0D731DA50EBA0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B9B22E Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00B9B248
                                                                                                                                  • GetLastError.KERNEL32 ref: 00B9B254
                                                                                                                                  • ___initconout.LIBCMT ref: 00B9B264
                                                                                                                                    • Part of subcall function 00B9B2E2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B9B269), ref: 00B9B2F5
                                                                                                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00B9B278
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleWrite$CreateErrorFileLast___initconout
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3431868840-0
                                                                                                                                  • Opcode ID: adc439727fa75b54494c8c8f398d5849a46129b4f1892f0546a6ca21cb6e6d64
                                                                                                                                  • Instruction ID: 733444dca5e5d0ba7832bb934351cdf680c495733f81025334836f41457eb7e8
                                                                                                                                  • Opcode Fuzzy Hash: adc439727fa75b54494c8c8f398d5849a46129b4f1892f0546a6ca21cb6e6d64
                                                                                                                                  • Instruction Fuzzy Hash: 36F0D43A100504ABCB625BE6EE04F8E7EB7FB8E761B118469F65A82530DB2298509B51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B9B34A Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00B9B361
                                                                                                                                  • GetLastError.KERNEL32 ref: 00B9B36D
                                                                                                                                  • ___initconout.LIBCMT ref: 00B9B37D
                                                                                                                                    • Part of subcall function 00B9B2E2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B9B269), ref: 00B9B2F5
                                                                                                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00B9B392
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleWrite$CreateErrorFileLast___initconout
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3431868840-0
                                                                                                                                  • Opcode ID: 07d7099f83ceff2c34d09acadfb47af2cb5dfdea8b2fe7b46a8f87f6b0538bb9
                                                                                                                                  • Instruction ID: c8f616c1c6f01df902c6c769f12e7496082c74705409fa16d84effcef1d3d6a9
                                                                                                                                  • Opcode Fuzzy Hash: 07d7099f83ceff2c34d09acadfb47af2cb5dfdea8b2fe7b46a8f87f6b0538bb9
                                                                                                                                  • Instruction Fuzzy Hash: 94F0983A504518BBCF225FA5ED04BDE3E66FB093A1F058160FA1995131D7328D209B95
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00B823FA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • InitializeCriticalSectionEx, xrefs: 00B8245A
                                                                                                                                  • GetXStateFeaturesMask, xrefs: 00B8240A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1449149030.0000000000AFF000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1449134555.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000AFB000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449149030.0000000000BA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449474111.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BBB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449501761.0000000000BFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449566091.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449583525.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1449601008.0000000000C1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_af0000_file.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
                                                                                                                                  • API String ID: 0-4196971266
                                                                                                                                  • Opcode ID: 8cd3ad3e9002e0209347109f1c7abcc85cc1c6620acf304f6545cb56b2580af8
                                                                                                                                  • Instruction ID: d6beec9b37cf221e4c43b159e217e9428b13fa9fac1a4cacf1b7795e7f45600d
                                                                                                                                  • Opcode Fuzzy Hash: 8cd3ad3e9002e0209347109f1c7abcc85cc1c6620acf304f6545cb56b2580af8
                                                                                                                                  • Instruction Fuzzy Hash: 4601A731684228B7CB153B918C0AFDE7E95EB45BA1F048451FE2C25271C6719D21D7D0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:9.3%
                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                  Signature Coverage:4.3%
                                                                                                                                  Total number of Nodes:92
                                                                                                                                  Total number of Limit Nodes:16
                                                                                                                                  execution_graph 55704 129ad38 55705 129ad47 55704->55705 55708 129ae20 55704->55708 55716 129ae30 55704->55716 55709 129ae41 55708->55709 55710 129ae64 55708->55710 55709->55710 55724 129b0b8 55709->55724 55728 129b0c8 55709->55728 55710->55705 55711 129ae5c 55711->55710 55712 129b068 GetModuleHandleW 55711->55712 55713 129b095 55712->55713 55713->55705 55717 129ae41 55716->55717 55718 129ae64 55716->55718 55717->55718 55722 129b0b8 LoadLibraryExW 55717->55722 55723 129b0c8 LoadLibraryExW 55717->55723 55718->55705 55719 129b068 GetModuleHandleW 55721 129b095 55719->55721 55720 129ae5c 55720->55718 55720->55719 55721->55705 55722->55720 55723->55720 55725 129b0dc 55724->55725 55727 129b101 55725->55727 55732 129a870 55725->55732 55727->55711 55729 129b0dc 55728->55729 55730 129b101 55729->55730 55731 129a870 LoadLibraryExW 55729->55731 55730->55711 55731->55730 55733 129b2a8 LoadLibraryExW 55732->55733 55735 129b321 55733->55735 55735->55727 55736 129d0b8 55737 129d0fe GetCurrentProcess 55736->55737 55739 129d149 55737->55739 55740 129d150 GetCurrentThread 55737->55740 55739->55740 55741 129d18d GetCurrentProcess 55740->55741 55742 129d186 55740->55742 55743 129d1c3 55741->55743 55742->55741 55744 129d1eb GetCurrentThreadId 55743->55744 55745 129d21c 55744->55745 55748 1294668 55749 1294684 55748->55749 55750 1294696 55749->55750 55752 12947a0 55749->55752 55753 12947c5 55752->55753 55757 12948a1 55753->55757 55761 12948b0 55753->55761 55759 12948d7 55757->55759 55758 12949b4 55758->55758 55759->55758 55765 1294248 55759->55765 55763 12948d7 55761->55763 55762 12949b4 55762->55762 55763->55762 55764 1294248 CreateActCtxA 55763->55764 55764->55762 55766 1295940 CreateActCtxA 55765->55766 55768 1295a03 55766->55768 55769 705c5f0 55770 705c617 55769->55770 55771 705c69c 55770->55771 55778 705d1d8 55770->55778 55782 705df23 55770->55782 55786 705d1b0 55770->55786 55790 705e6b6 55770->55790 55794 705e5d7 55770->55794 55798 705dc78 55770->55798 55780 705d205 55778->55780 55779 705e6a0 55780->55779 55781 705db53 LdrInitializeThunk 55780->55781 55781->55780 55784 705d338 55782->55784 55783 705e6a0 55784->55783 55785 705db53 LdrInitializeThunk 55784->55785 55785->55784 55789 705d1b5 55786->55789 55787 705e6a0 55788 705db53 LdrInitializeThunk 55788->55789 55789->55787 55789->55788 55791 705e6a0 55790->55791 55792 705d338 55790->55792 55792->55791 55793 705db53 LdrInitializeThunk 55792->55793 55793->55792 55797 705d338 55794->55797 55795 705e6a0 55796 705db53 LdrInitializeThunk 55796->55797 55797->55795 55797->55796 55800 705d338 55798->55800 55799 705e6a0 55800->55799 55801 705db53 LdrInitializeThunk 55800->55801 55801->55800 55746 129d300 DuplicateHandle 55747 129d396 55746->55747 55687 7b73538 55688 7b7355b 55687->55688 55692 7b746e9 55688->55692 55696 7b746f8 55688->55696 55689 7b73615 55693 7b746f9 55692->55693 55695 7b74749 55693->55695 55700 7b742d4 55693->55700 55695->55689 55697 7b74740 55696->55697 55698 7b742d4 LoadLibraryW 55697->55698 55699 7b74749 55697->55699 55698->55699 55699->55689 55701 7b74840 LoadLibraryW 55700->55701 55703 7b748b5 55701->55703 55703->55695

                                                                                                                                  Executed Functions

                                                                                                                                  Function 0705D1D8 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1088COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 44 705d1d8-705d203 45 705d205 44->45 46 705d20a-705d2a6 44->46 45->46 49 705d2f8-705d333 46->49 50 705d2a8-705d2f2 46->50 55 705e681-705e69a 49->55 50->49 58 705e6a0-705e6c6 55->58 59 705d338-705d4c7 55->59 61 705e6d5 58->61 62 705e6c8-705e6d4 58->62 77 705e639-705e653 59->77 65 705e6d6 61->65 62->61 65->65 79 705d4cc-705d610 77->79 80 705e659-705e67d 77->80 96 705d643-705d68a 79->96 97 705d612-705d63e 79->97 80->55 103 705d68c-705d6ad 96->103 104 705d6af-705d6be 96->104 100 705d6d1-705d888 97->100 125 705d8da-705d8e5 100->125 126 705d88a-705d8d4 100->126 109 705d6c4-705d6d0 103->109 104->109 109->100 295 705d8eb call 705e7e0 125->295 296 705d8eb call 705e7f0 125->296 126->125 128 705d8f1-705d955 133 705d9a7-705d9b2 128->133 134 705d957-705d9a1 128->134 283 705d9b8 call 705e7e0 133->283 284 705d9b8 call 705e7f0 133->284 134->133 136 705d9be-705da21 141 705da73-705da7e 136->141 142 705da23-705da6d 136->142 289 705da84 call 705e7e0 141->289 290 705da84 call 705e7f0 141->290 142->141 143 705da8a-705dac3 147 705df3c-705dfc3 143->147 148 705dac9-705db2c 143->148 159 705dfc5-705e01b 147->159 160 705e021-705e02c 147->160 156 705db33-705db85 LdrInitializeThunk call 705cf24 148->156 157 705db2e 148->157 167 705db8a-705dcb2 call 705bd00 call 705cbe8 call 70594ec call 70594fc 156->167 157->156 159->160 293 705e032 call 705e7e0 160->293 294 705e032 call 705e7f0 160->294 164 705e038-705e0c5 177 705e0c7-705e11d 164->177 178 705e123-705e12e 164->178 201 705df1f-705df3b 167->201 202 705dcb8-705dd0a 167->202 177->178 291 705e134 call 705e7e0 178->291 292 705e134 call 705e7f0 178->292 183 705e13a-705e1b2 193 705e1b4-705e20a 183->193 194 705e210-705e21b 183->194 193->194 287 705e221 call 705e7e0 194->287 288 705e221 call 705e7f0 194->288 198 705e227-705e293 212 705e2e5-705e2f0 198->212 213 705e295-705e2df 198->213 201->147 210 705dd5c-705ddd7 202->210 211 705dd0c-705dd56 202->211 228 705de29-705dea3 210->228 229 705ddd9-705de23 210->229 211->210 285 705e2f6 call 705e7e0 212->285 286 705e2f6 call 705e7f0 212->286 213->212 217 705e2fc-705e323 222 705e32d-705e341 217->222 226 705e477-705e620 222->226 227 705e347-705e476 222->227 280 705e622-705e637 226->280 281 705e638 226->281 227->226 243 705def5-705df1e 228->243 244 705dea5-705deef 228->244 229->228 243->201 244->243 280->281 281->77 283->136 284->136 285->217 286->217 287->198 288->198 289->143 290->143 291->183 292->183 293->164 294->164 295->128 296->128
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1621149627.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7050000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: S!
                                                                                                                                  • API String ID: 0-969837141
                                                                                                                                  • Opcode ID: 2566e9e96d5ec4ea47230d79b1fda65761924826bfe2f9574213f9376e890a58
                                                                                                                                  • Instruction ID: 0426ad3c1eb9981320b786840f773b038786dcca03207d09983053edc0a62e1d
                                                                                                                                  • Opcode Fuzzy Hash: 2566e9e96d5ec4ea47230d79b1fda65761924826bfe2f9574213f9376e890a58
                                                                                                                                  • Instruction Fuzzy Hash: 5FC292B4A01229DFDB64EF24D898B9EB7B1FB49305F1085EAD809A7354DB356E81CF40
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0705E968 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 297 705e968-705e99a 298 705e9a1-705ea6d 297->298 299 705e99c 297->299 304 705ea82 298->304 305 705ea6f-705ea7d 298->305 299->298 370 705ea88 call 705f392 304->370 371 705ea88 call 705f43c 304->371 372 705ea88 call 705f3ae 304->372 373 705ea88 call 705f229 304->373 374 705ea88 call 705f2d8 304->374 306 705ef30-705ef3d 305->306 307 705ea8e-705eab7 377 705eabd call 7b7b868 307->377 378 705eabd call 7b7b858 307->378 379 705eabd call 7b7b9f8 307->379 309 705eac3-705eb2c 368 705eb2e call 7b7dc38 309->368 369 705eb2e call 7b7dc28 309->369 314 705eb34-705eb3e 315 705eebf-705eecb 314->315 375 705eecd call 7b7f508 315->375 376 705eecd call 7b7f4f8 315->376 316 705eed3-705eee9 317 705eb43-705ed59 316->317 318 705eeef-705ef2e 316->318 380 705ed5f call 7b7fa49 317->380 381 705ed5f call 7b7fa58 317->381 318->306 345 705ed65-705edaf 348 705edb7-705edb9 345->348 349 705edb1 345->349 352 705edc0-705edc7 348->352 350 705edb3-705edb5 349->350 351 705edbb 349->351 350->348 350->351 351->352 353 705ee41-705ee67 352->353 354 705edc9-705ee40 352->354 356 705ee74-705ee80 353->356 357 705ee69-705ee72 353->357 354->353 359 705ee86-705eea5 356->359 357->359 363 705eea7-705eeba 359->363 364 705eebb-705eebc 359->364 363->364 364->315 368->314 369->314 370->307 371->307 372->307 373->307 374->307 375->316 376->316 377->309 378->309 379->309 380->345 381->345
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1621149627.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7050000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: .$1
                                                                                                                                  • API String ID: 0-1839485796
                                                                                                                                  • Opcode ID: c8693e9ac41837eeacb168a267f5f565cf3b338d36ca16383e83162d0ab732cb
                                                                                                                                  • Instruction ID: 4d91fc39f0f5bfdb97f2ec1779b5a9ca7cd8d631e382ac8cf4657c3610f19360
                                                                                                                                  • Opcode Fuzzy Hash: c8693e9ac41837eeacb168a267f5f565cf3b338d36ca16383e83162d0ab732cb
                                                                                                                                  • Instruction Fuzzy Hash: 0FF1D1B4E02229CFDB68DF65D844B9DBBB2FF89305F5081A9D409AB290DB355E81CF50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0705C798 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 421 705c798-705c7b9 422 705c7c0-705c81b call 705bd00 421->422 423 705c7bb 421->423 426 705c823-705c853 422->426 423->422 427 705c8a5-705c8e3 426->427 428 705c855-705c89f 426->428 433 705ca5c-705ca70 427->433 428->427 436 705ca76-705ca9a 433->436 437 705c8e8-705c96c 433->437 442 705ca9b 436->442 447 705c974-705c9b9 437->447 448 705c96e-705c96f 437->448 442->442 452 705c9bf-705ca47 call 70594ec call 70594fc 447->452 453 705ca48-705ca5b 447->453 448->433 452->453 453->433
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1621149627.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7050000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: C7${7
                                                                                                                                  • API String ID: 0-420638386
                                                                                                                                  • Opcode ID: fc71cb62102da92611426a447bb03f35fb1a9865599a0812f4bb0d7b8989b698
                                                                                                                                  • Instruction ID: eebd812ff971f64f390bd1a7792200c677a29ed5fac1db1dfb8400f379a0fab2
                                                                                                                                  • Opcode Fuzzy Hash: fc71cb62102da92611426a447bb03f35fb1a9865599a0812f4bb0d7b8989b698
                                                                                                                                  • Instruction Fuzzy Hash: 3A91E7B0E01319DFDB64DF68D984B9EBBB2BF89304F1085A9D809A7251DB306E85CF51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06833F50 Relevance: .5, Instructions: 524COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: f011db49903e66c96168fbda933451764beaef7ad7044fdd550a1355b68b7fed
                                                                                                                                  • Instruction ID: 88ae5ca1d5c248575d7d38b2ea17d7f31c3abd25dd5455890a106c253a635202
                                                                                                                                  • Opcode Fuzzy Hash: f011db49903e66c96168fbda933451764beaef7ad7044fdd550a1355b68b7fed
                                                                                                                                  • Instruction Fuzzy Hash: E1127D34F002158FDB54DF68C994AAEBBF6FF89604B148169E906EB365DB31DC42CB90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0705BD00 Relevance: .4, Instructions: 426COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1621149627.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7050000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d0a21e7c253b1a4bc1d6f404e25a009d4c6dfddedd64039879819b9df9ac1ea9
                                                                                                                                  • Instruction ID: b15a5eb4c0ea6b0dee06915f09d2cf0a0d2f0be85df924f5e8aa8144cd6881a2
                                                                                                                                  • Opcode Fuzzy Hash: d0a21e7c253b1a4bc1d6f404e25a009d4c6dfddedd64039879819b9df9ac1ea9
                                                                                                                                  • Instruction Fuzzy Hash: 74228EB4D01229CFDB65DF69C850BDAB7B2BF89300F1081EAD549A7250EB316E85CF90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068367D8 Relevance: .4, Instructions: 413COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: ba9265960792d2d96c5978cff16c81d911bc7202d882f20a8cc6e8d54da1c9e5
                                                                                                                                  • Instruction ID: 3d138b249aee4ddb9b9d0183526ba77e5ed7fb870e1b4a66e4901d8629f81601
                                                                                                                                  • Opcode Fuzzy Hash: ba9265960792d2d96c5978cff16c81d911bc7202d882f20a8cc6e8d54da1c9e5
                                                                                                                                  • Instruction Fuzzy Hash: CBF19D31A00219AFDB55DF68D880B9EBBF2FF88304F148569E515EB251EB30EC46CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683A3D8 Relevance: .3, Instructions: 296COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 51135f559a8220ea7448af5815acd5950a5942791baf191ac27fb47c833d8434
                                                                                                                                  • Instruction ID: f5555f2fdc26a6cd55fb3720431230e4be199bd98e38524df22433c80ef6bc69
                                                                                                                                  • Opcode Fuzzy Hash: 51135f559a8220ea7448af5815acd5950a5942791baf191ac27fb47c833d8434
                                                                                                                                  • Instruction Fuzzy Hash: 19D1D234E01218CFCB58EFB4D854AADBBB2FF8A305F1085A9D51AAB254DB315986CF11
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683A3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a2437dc961771af2718c0962d0d26c729b2f8b78edb665a07468c0e7c7172a14
                                                                                                                                  • Instruction ID: 2eb9efaaed77c178e4f9d9b33fa597d20326a937e384c0b3ff83d885ec351286
                                                                                                                                  • Opcode Fuzzy Hash: a2437dc961771af2718c0962d0d26c729b2f8b78edb665a07468c0e7c7172a14
                                                                                                                                  • Instruction Fuzzy Hash: 04D1D234E01318CFCB58EFB4D854AADBBB2FF8A305F1085A9D51AAB254DB315986CF11
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0705A980 Relevance: .2, Instructions: 181COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1621149627.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7050000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 2db0f85524f10bd315e2cd04854097a6a0f198af4915e1de141324bc8a2b0f58
                                                                                                                                  • Instruction ID: c1d0e40b8b11ca55dfd4f267fd14e25811b5dd81a83551c5e65bbdaded750167
                                                                                                                                  • Opcode Fuzzy Hash: 2db0f85524f10bd315e2cd04854097a6a0f198af4915e1de141324bc8a2b0f58
                                                                                                                                  • Instruction Fuzzy Hash: C271E8B4E00219DFDB68DFA5D890ADEBBB2FF89300F209629D815AB355DB355841CF50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0129D0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0129D136
                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0129D173
                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0129D1B0
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0129D209
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                  • Opcode ID: 610e96806994331f0fa49bdedd768fc9a1a92549e1c68e08e588a46c5fccfd63
                                                                                                                                  • Instruction ID: 7119dade73f9b75e340761ee98cd5b833222a381475d71591abbffb9b92b1b1a
                                                                                                                                  • Opcode Fuzzy Hash: 610e96806994331f0fa49bdedd768fc9a1a92549e1c68e08e588a46c5fccfd63
                                                                                                                                  • Instruction Fuzzy Hash: F65156B090074ACFDB18DFA9D588B9EBBF1BF88314F20845DE519A73A0D7745844CB65
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0129D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0129D136
                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0129D173
                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0129D1B0
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0129D209
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                  • Opcode ID: 9113fb7ca67223f31c7836d90675c2e42d892ab7ad8efeb1059eb2081b9ca036
                                                                                                                                  • Instruction ID: 5facb3bcbcdd42c96c1632e81c2809e0636a073b9293d994252191e862890ca2
                                                                                                                                  • Opcode Fuzzy Hash: 9113fb7ca67223f31c7836d90675c2e42d892ab7ad8efeb1059eb2081b9ca036
                                                                                                                                  • Instruction Fuzzy Hash: 8A5157B090070A8FDB14DFAAD588B9EBBF1BF88314F208459E519A73A0DB749944CF65
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0129AE30 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 503 129ae30-129ae3f 504 129ae6b-129ae6f 503->504 505 129ae41-129ae4e call 1299838 503->505 506 129ae71-129ae7b 504->506 507 129ae83-129aec4 504->507 510 129ae50 505->510 511 129ae64 505->511 506->507 514 129aed1-129aedf 507->514 515 129aec6-129aece 507->515 560 129ae56 call 129b0b8 510->560 561 129ae56 call 129b0c8 510->561 511->504 517 129aee1-129aee6 514->517 518 129af03-129af05 514->518 515->514 516 129ae5c-129ae5e 516->511 521 129afa0-129afb7 516->521 519 129aee8-129aeef call 129a814 517->519 520 129aef1 517->520 522 129af08-129af0f 518->522 526 129aef3-129af01 519->526 520->526 534 129afb9-129b018 521->534 524 129af1c-129af23 522->524 525 129af11-129af19 522->525 528 129af30-129af39 call 129a824 524->528 529 129af25-129af2d 524->529 525->524 526->522 535 129af3b-129af43 528->535 536 129af46-129af4b 528->536 529->528 554 129b01a-129b060 534->554 535->536 537 129af69-129af76 536->537 538 129af4d-129af54 536->538 545 129af99-129af9f 537->545 546 129af78-129af96 537->546 538->537 540 129af56-129af66 call 129a834 call 129a844 538->540 540->537 546->545 555 129b068-129b093 GetModuleHandleW 554->555 556 129b062-129b065 554->556 557 129b09c-129b0b0 555->557 558 129b095-129b09b 555->558 556->555 558->557 560->516 561->516
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0129B086
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleModule
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                  • Opcode ID: 8107a26cb6c09e4f3e9a2a4c5edfc37e18c03e0ae4992145fd89692e39c4fdd3
                                                                                                                                  • Instruction ID: ee8a5dc7ad441a0f242d416ec23a1723957a40dd1969bf46382928d584284e5b
                                                                                                                                  • Opcode Fuzzy Hash: 8107a26cb6c09e4f3e9a2a4c5edfc37e18c03e0ae4992145fd89692e39c4fdd3
                                                                                                                                  • Instruction Fuzzy Hash: 687137B0A10B068FEB25DF2ED54575ABBF1FF88204F00892DD58ADBA50DB75E845CB90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01295935 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 562 1295935-1295a01 CreateActCtxA 564 1295a0a-1295a64 562->564 565 1295a03-1295a09 562->565 572 1295a73-1295a77 564->572 573 1295a66-1295a69 564->573 565->564 574 1295a79-1295a85 572->574 575 1295a88 572->575 573->572 574->575 576 1295a89 575->576 576->576
                                                                                                                                  APIs
                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 012959F1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Create
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                  • Opcode ID: ef33d4a0a86b2403f307fdede7996dce60bbaa050198e5ee77c02ea7b9af983e
                                                                                                                                  • Instruction ID: 003a794362bcd8b665e7a3865e9fc34d9807feab21cce76b9276f9530ea98c95
                                                                                                                                  • Opcode Fuzzy Hash: ef33d4a0a86b2403f307fdede7996dce60bbaa050198e5ee77c02ea7b9af983e
                                                                                                                                  • Instruction Fuzzy Hash: 9341EFB1D1031ACFEB24DFA9C884BCEBBB5BF85714F20806AD508AB251DB756946CF50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01294248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 578 1294248-1295a01 CreateActCtxA 581 1295a0a-1295a64 578->581 582 1295a03-1295a09 578->582 589 1295a73-1295a77 581->589 590 1295a66-1295a69 581->590 582->581 591 1295a79-1295a85 589->591 592 1295a88 589->592 590->589 591->592 593 1295a89 592->593 593->593
                                                                                                                                  APIs
                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 012959F1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Create
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                  • Opcode ID: 64996599daf91718129d724bdee8e2ba23f393cd5276150e289c25dfb9ee4cb5
                                                                                                                                  • Instruction ID: 72acc05744f385af0cf238636ad5127a0eb374f3290464c597663ebce6e97704
                                                                                                                                  • Opcode Fuzzy Hash: 64996599daf91718129d724bdee8e2ba23f393cd5276150e289c25dfb9ee4cb5
                                                                                                                                  • Instruction Fuzzy Hash: 8441E0B0D10719CFEB24DFA9C884B8EBBB5FF89714F20806AD508AB250DB756945CF90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0129D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 600 129d300-129d394 DuplicateHandle 601 129d39d-129d3ba 600->601 602 129d396-129d39c 600->602 602->601
                                                                                                                                  APIs
                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0129D387
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                  • Opcode ID: ba0e937c9f850fa5ed1d141313f7e98a79ab7b31e2ab41bb362da51f6bf291a9
                                                                                                                                  • Instruction ID: be93e93265a68746970b82a0d0756ad403f344f5ba9f1b00d495c47a9d31e7a5
                                                                                                                                  • Opcode Fuzzy Hash: ba0e937c9f850fa5ed1d141313f7e98a79ab7b31e2ab41bb362da51f6bf291a9
                                                                                                                                  • Instruction Fuzzy Hash: FF21C4B59003499FDB10CFAAD984ADEBBF4FB48720F14841AE918A3350D374A954CFA5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0129D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 595 129d2f9-129d394 DuplicateHandle 596 129d39d-129d3ba 595->596 597 129d396-129d39c 595->597 597->596
                                                                                                                                  APIs
                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0129D387
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                  • Opcode ID: db8e6972d04fdb3a1a2ccc8118fe441d18a9f3353b0b2c578ededa7426903af8
                                                                                                                                  • Instruction ID: 9a5d1c91ea30c72bc75bcf66d19e78ead6e85529729d01dad0678ac6ddcb61c7
                                                                                                                                  • Opcode Fuzzy Hash: db8e6972d04fdb3a1a2ccc8118fe441d18a9f3353b0b2c578ededa7426903af8
                                                                                                                                  • Instruction Fuzzy Hash: 2E21E0B59003499FDB10CFAAD985ADEBBF4AB48224F14841AE918A3210C378A954CF64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0129A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 605 129a870-129b2e8 607 129b2ea-129b2ed 605->607 608 129b2f0-129b31f LoadLibraryExW 605->608 607->608 609 129b328-129b345 608->609 610 129b321-129b327 608->610 610->609
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0129B101,00000800,00000000,00000000), ref: 0129B312
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: f907dd53f4c4ee1f2e223859c8efadc71f39c92531d98013266782a882205b40
                                                                                                                                  • Instruction ID: 71bde9f3324516d4b40c39e5c795a7a4d972cef9cccaf5b03034b8053bfca364
                                                                                                                                  • Opcode Fuzzy Hash: f907dd53f4c4ee1f2e223859c8efadc71f39c92531d98013266782a882205b40
                                                                                                                                  • Instruction Fuzzy Hash: C31114B6C003498FDB10CF9AD444B9EFBF4EB88710F14842ED919A7200C374A945CFA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0129B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 613 129b2a0-129b2e8 614 129b2ea-129b2ed 613->614 615 129b2f0-129b31f LoadLibraryExW 613->615 614->615 616 129b328-129b345 615->616 617 129b321-129b327 615->617 617->616
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0129B101,00000800,00000000,00000000), ref: 0129B312
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: 120a2b1f6dd5fbc3d4b8c405f293c8808853e1ec4bec1125702518ab2810576b
                                                                                                                                  • Instruction ID: be64c1f738bf5a74d956a389019de0c2337f49a7ac57d2b7f7fcc11429ccb62d
                                                                                                                                  • Opcode Fuzzy Hash: 120a2b1f6dd5fbc3d4b8c405f293c8808853e1ec4bec1125702518ab2810576b
                                                                                                                                  • Instruction Fuzzy Hash: FF1103B6C003498FDB14DFAAD844BDEBBF4EB88720F14842AD919A7200C379A545CFA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07B74838 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 620 7b74838-7b74880 622 7b74882-7b74885 620->622 623 7b74888-7b748b3 LoadLibraryW 620->623 622->623 624 7b748b5-7b748bb 623->624 625 7b748bc-7b748d9 623->625 624->625
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E58,?,?,07B7479E), ref: 07B748A6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1622915036.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7b70000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: 873c5be32db21ce9a0d915bdfa67b2be86a85d9c7fa93834040f51e53135363f
                                                                                                                                  • Instruction ID: bee47ea3e95b455104998e0be4d5a1bda1022f7c2a6e5b70bdfe2e32356fdf06
                                                                                                                                  • Opcode Fuzzy Hash: 873c5be32db21ce9a0d915bdfa67b2be86a85d9c7fa93834040f51e53135363f
                                                                                                                                  • Instruction Fuzzy Hash: 711114B6D007898FDB10CF9AD844B9EFBF4EB88625F15842AD428A7600D774A545CFA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07B742D4 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E58,?,?,07B7479E), ref: 07B748A6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1622915036.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7b70000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: 2b5af0c5158056372a3c4f7a05bec1235434e5889196d4fac7f0e95f47ba336a
                                                                                                                                  • Instruction ID: 2c0d499699ad99909f46a68a077a55ef9c87126dcce70f810009752f87a7f385
                                                                                                                                  • Opcode Fuzzy Hash: 2b5af0c5158056372a3c4f7a05bec1235434e5889196d4fac7f0e95f47ba336a
                                                                                                                                  • Instruction Fuzzy Hash: 321114B6D007898FDB10DF9AC448B9EFBF4EB88211F14846AD429A7200D374A945CFA0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0129B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0129B086
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602737375.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1290000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleModule
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                  • Opcode ID: c8eeafad15678cb497e92d930f93ae8c4107311008e6017ab242432ed0f51f6c
                                                                                                                                  • Instruction ID: 38fb0269330e41232ed87e51a1bb3138167a6b674a34cb460a229e6df9c531c2
                                                                                                                                  • Opcode Fuzzy Hash: c8eeafad15678cb497e92d930f93ae8c4107311008e6017ab242432ed0f51f6c
                                                                                                                                  • Instruction Fuzzy Hash: 0E1110B6C003498FDB20CF9AD844BDEFBF4AF88624F14841AD528B7210C379A545CFA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06811BA0 Relevance: 1.4, Instructions: 1446COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: dff3ea589d0158b878523b905b0ce6778edb1ca87c62bb04fc1afd3a83dbefaa
                                                                                                                                  • Instruction ID: 29a3ebf08637b2f69be6e1f9545559cc2713b926cf7652fa72af3d42cf98e72f
                                                                                                                                  • Opcode Fuzzy Hash: dff3ea589d0158b878523b905b0ce6778edb1ca87c62bb04fc1afd3a83dbefaa
                                                                                                                                  • Instruction Fuzzy Hash: DFC22134A002189FDB55DF64C854BADBBB6EF89700F114099E60AAF3A1DB71DE81CF91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06813838 Relevance: .9, Instructions: 917COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 8b494a74f1ed6b843da239b54e5216c5b8fad03db41107e14a0c277e6ac465e9
                                                                                                                                  • Instruction ID: 10e7c5047f34acf3f370cdc8acb810f2de9d7a0f2e2db597b0668a8db43517f6
                                                                                                                                  • Opcode Fuzzy Hash: 8b494a74f1ed6b843da239b54e5216c5b8fad03db41107e14a0c277e6ac465e9
                                                                                                                                  • Instruction Fuzzy Hash: C8723A74B00214AFCB44DF68C894EAEBBF6FF89704F158099E606DB3A1DA71ED418B51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068100D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 8aed2a4e2870e633294bd35152406a809f4a947bd5c097b1f48b440d1ad26830
                                                                                                                                  • Instruction ID: bf76755695246e36597e382d43567a909d8e314b91c690a52a69ba68b016c68c
                                                                                                                                  • Opcode Fuzzy Hash: 8aed2a4e2870e633294bd35152406a809f4a947bd5c097b1f48b440d1ad26830
                                                                                                                                  • Instruction Fuzzy Hash: 39426934B10B199FEB68AF74D850A2EB7B2FBC5605B10495CD5039F390CF7AE9418B86
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06810D80 Relevance: .6, Instructions: 616COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: dea1ecba4e231f216b3a1f65eef8db7aaf65e505ea39fd59c2d0f9bb45f7e9f5
                                                                                                                                  • Instruction ID: bb771b10eb07a93dda3d500040e1dd0bd471d832e83e756265ab3577821bc753
                                                                                                                                  • Opcode Fuzzy Hash: dea1ecba4e231f216b3a1f65eef8db7aaf65e505ea39fd59c2d0f9bb45f7e9f5
                                                                                                                                  • Instruction Fuzzy Hash: 5522C234B002099FDB54DB69C858A7EBBFABF89704B10845AE656CB3A1CF70DC41DB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068348B8 Relevance: .6, Instructions: 592COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 859d02154e49923bbd311fca578f9aba1bf2e7886bb386821ea12e3d64ba98bf
                                                                                                                                  • Instruction ID: 6cf812156e5cb7b1f45a1713736965c5ce981e3804e76a039f29f5ff6e4d82c4
                                                                                                                                  • Opcode Fuzzy Hash: 859d02154e49923bbd311fca578f9aba1bf2e7886bb386821ea12e3d64ba98bf
                                                                                                                                  • Instruction Fuzzy Hash: 0E324C34B006158FDB54DF39C888A6EBBF6FF89605B1584A9E906DB361DB30EC45CB90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06812070 Relevance: .6, Instructions: 570COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 41f60f5b89d4f8e01efe317957288c0ac6035b5c870bba874140fe1df0bbf994
                                                                                                                                  • Instruction ID: 634d0b1a53c585633c0eff3bfc9f7fa7110ed80351edca19870c454ca3444620
                                                                                                                                  • Opcode Fuzzy Hash: 41f60f5b89d4f8e01efe317957288c0ac6035b5c870bba874140fe1df0bbf994
                                                                                                                                  • Instruction Fuzzy Hash: EA22A534B002188FDB649B24C955FAD77B6EF88744F118199EA069F791CF71EE818F81
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06811577 Relevance: .3, Instructions: 348COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 65dc7d19a42349a4e732268ec300bac2e33ee17c2729dfbf032416725ab36192
                                                                                                                                  • Instruction ID: 39c48f15f0b0e7ea0e93be8d247a9ae6f2e152882b9b16ac3b8f6e05829701bc
                                                                                                                                  • Opcode Fuzzy Hash: 65dc7d19a42349a4e732268ec300bac2e33ee17c2729dfbf032416725ab36192
                                                                                                                                  • Instruction Fuzzy Hash: DAC1E134B00205AFEB949BA4D458B7E7BEAAF89704F10845AE642CF3A1CFB5DC45C791
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068100B7 Relevance: .3, Instructions: 341COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: b0cc2ad5ba69e41d085032f92a7ebffd684b970b3b8f69dfb659f5a1066ae42e
                                                                                                                                  • Instruction ID: b675a14279f5fa1bbb472064cff71a2a3f8f947f8144a43f74b744d468da5c82
                                                                                                                                  • Opcode Fuzzy Hash: b0cc2ad5ba69e41d085032f92a7ebffd684b970b3b8f69dfb659f5a1066ae42e
                                                                                                                                  • Instruction Fuzzy Hash: B4C15E34B102089FEB549B64C859B6D7BBABF89704F108055EA02DF3A1CF79DD81CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068348A8 Relevance: .3, Instructions: 279COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 9cdd4f60c090495dfb20aa068db14868f6ed518e3112b683dd1d81629810b378
                                                                                                                                  • Instruction ID: e74c3ec1504f5ddcb741437f26dd574621d30b55be1864601c5675fad5863dc9
                                                                                                                                  • Opcode Fuzzy Hash: 9cdd4f60c090495dfb20aa068db14868f6ed518e3112b683dd1d81629810b378
                                                                                                                                  • Instruction Fuzzy Hash: B2B15834B006148FCB54DF39C998A6EBBF6BF89605B1544A8E546DB376DB30EC05CB90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068359C8 Relevance: .2, Instructions: 151COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 170cdb0275605fe0ab7ce014da973969552b57558b34c303b4b7c08c48506bbc
                                                                                                                                  • Instruction ID: 2f8161d16d304d85b1853f25f41b6e0e087dbd452f80e38f243246a1c66154f8
                                                                                                                                  • Opcode Fuzzy Hash: 170cdb0275605fe0ab7ce014da973969552b57558b34c303b4b7c08c48506bbc
                                                                                                                                  • Instruction Fuzzy Hash: C9512635A00615CFCB50CF58C880AAEBBF2FF89314B558999E959EB361D730F906CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06837D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 3671f877d2f8ef320e79b0e1c0a081541cc3abc2dea48a8a4908e0a76607b7a9
                                                                                                                                  • Instruction ID: 001049e93c75803cee1d49f6307637a5a712cfdfc44df9fba6fd12338f74b518
                                                                                                                                  • Opcode Fuzzy Hash: 3671f877d2f8ef320e79b0e1c0a081541cc3abc2dea48a8a4908e0a76607b7a9
                                                                                                                                  • Instruction Fuzzy Hash: BB5123B1E003698FDB64CFA9C881BEEBBB1BF88704F148429D415EB244DB749845CF84
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068134D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a29e2001f697b6c860fc3f1b47aea06903911e00cd214b6cd0118223966b88b9
                                                                                                                                  • Instruction ID: 88408baa9d6a8a498346f2ca288c1d18679a338ae0daeacbae723ed858d1ea9b
                                                                                                                                  • Opcode Fuzzy Hash: a29e2001f697b6c860fc3f1b47aea06903911e00cd214b6cd0118223966b88b9
                                                                                                                                  • Instruction Fuzzy Hash: 0A515735B106199FCB44DF69C88499EBBF6EF8C714B1580A9E90AEB361DB30EC05CB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06837D4C Relevance: .1, Instructions: 129COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: bb1fcf3b3ae6bfbda6deb548bef3bc5fdd3d9fe38569281db1e6a10a85ad9823
                                                                                                                                  • Instruction ID: be98cc7169a5b9d3ad1a5a65c5190cc4135ac225f153821800502abcd83ddc04
                                                                                                                                  • Opcode Fuzzy Hash: bb1fcf3b3ae6bfbda6deb548bef3bc5fdd3d9fe38569281db1e6a10a85ad9823
                                                                                                                                  • Instruction Fuzzy Hash: 915123B0D003698FDB64CFA9C985BDEBBF1AF48704F14852AE415EB284DB749846CF85
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06833DE0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a29059aa6ad9c5cbc5c770f40d59eaef51b8914e0137f05fa07a1b7e68304df7
                                                                                                                                  • Instruction ID: 484dcc332a274c9f906c07bf0543f716366889c00b468ca62c9973c6bd96252b
                                                                                                                                  • Opcode Fuzzy Hash: a29059aa6ad9c5cbc5c770f40d59eaef51b8914e0137f05fa07a1b7e68304df7
                                                                                                                                  • Instruction Fuzzy Hash: 9A31E4317003214FCB29A738E854A6E77E6EBCA610705846EE809CB780CE34EC07C7D1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06835579 Relevance: .1, Instructions: 103COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 3b7f82f08f32108e9c289bc5a78b869a29fe28d435f2f0f755171ad579601d0f
                                                                                                                                  • Instruction ID: 73d8ba9630ca487bedbf87db1ea71a4b1d71be538f3a95f65b08a45d429a0fc1
                                                                                                                                  • Opcode Fuzzy Hash: 3b7f82f08f32108e9c289bc5a78b869a29fe28d435f2f0f755171ad579601d0f
                                                                                                                                  • Instruction Fuzzy Hash: 0F317735B012109FCB09DF38D884A6EBBB2BF89601B448468FE05CB365DB31ED02CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683F920 Relevance: .1, Instructions: 99COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: edd5ddf2d8d82e1792fa9d27e63a23fbd97b1432ffd3f2cfd52c236e05c2e45e
                                                                                                                                  • Instruction ID: 3b65e0bb614b4c6b9d436d6dc4da6be41a852306fc7ac062fafe36d862917767
                                                                                                                                  • Opcode Fuzzy Hash: edd5ddf2d8d82e1792fa9d27e63a23fbd97b1432ffd3f2cfd52c236e05c2e45e
                                                                                                                                  • Instruction Fuzzy Hash: B4310934B153546FC705BB78E8245AE3FB7EBC622530444ABE606CB355DE395C06C7A1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068384D8 Relevance: .1, Instructions: 98COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 411711831b7f9109343ba42091f426d079fbbe804e4c0afa67d939edd22d2f1b
                                                                                                                                  • Instruction ID: 436177d82a71ee7a7e6202783a2890a35be0dc8043da57a16d05ae1e9fd90c68
                                                                                                                                  • Opcode Fuzzy Hash: 411711831b7f9109343ba42091f426d079fbbe804e4c0afa67d939edd22d2f1b
                                                                                                                                  • Instruction Fuzzy Hash: F8317A317002158BDB48EB79A46496E76E3EBCC2117504539EA0ACB384EF31DD4687D5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06835588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: ef7e91b2a2abe5b6191a853d247d9be72fd2eb3c35b2ba1b808856da56e69bbb
                                                                                                                                  • Instruction ID: 2a4e323871059c227aa28e1e69b607e938ba15b48edb816e4d7db8c8656489d3
                                                                                                                                  • Opcode Fuzzy Hash: ef7e91b2a2abe5b6191a853d247d9be72fd2eb3c35b2ba1b808856da56e69bbb
                                                                                                                                  • Instruction Fuzzy Hash: F8317A34B112119FCB19DF38D88496EBBB2BF89601B408469F905CB355DB30ED02CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068387A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 91ba171ef9d5815bcc1538f533449b0ff67e5b1f9e6a46533d469fa10bd1d855
                                                                                                                                  • Instruction ID: 336f18763ce2eaec26c451b2c858b66c82814d1c13454e451b0915d4b2956ed4
                                                                                                                                  • Opcode Fuzzy Hash: 91ba171ef9d5815bcc1538f533449b0ff67e5b1f9e6a46533d469fa10bd1d855
                                                                                                                                  • Instruction Fuzzy Hash: E841EEB1D0125CDFDB58DFAAD980ADEFBB6AF88310F14802AE415B7250DB35A945CF90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068384C8 Relevance: .1, Instructions: 90COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 4fa3c9da450e3395b95d06adefa18dc3590aa30a53a7afca936ccb464c542b9f
                                                                                                                                  • Instruction ID: 2ae0fbd973d2e72099fe040620b50b406d9482df05f8f5607687dffdc2e15504
                                                                                                                                  • Opcode Fuzzy Hash: 4fa3c9da450e3395b95d06adefa18dc3590aa30a53a7afca936ccb464c542b9f
                                                                                                                                  • Instruction Fuzzy Hash: A0218B307012168FDB48AB78A464A7E3AA3AFC8202754453DDA0BDB3C4EF34DD4687D5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06838795 Relevance: .1, Instructions: 78COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 7084111ce6f8517b819467b974df2b13c2ecad47a5cb7d3f6ec60f75f8af3aa0
                                                                                                                                  • Instruction ID: 97979dfbc7a78f58a28e71bb73714bd682d2d302a88b5ac8c53bf8c35d30f9cc
                                                                                                                                  • Opcode Fuzzy Hash: 7084111ce6f8517b819467b974df2b13c2ecad47a5cb7d3f6ec60f75f8af3aa0
                                                                                                                                  • Instruction Fuzzy Hash: 3C31F0B1D012589FDB14CFAAC984BDEBBB6AF88300F14842AE415E7250DB759945CF90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06838A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 544524cec9546ea36bc4e94f8220565d9f22bb934f6a671a6c3c44f3b8ad2792
                                                                                                                                  • Instruction ID: b264ed7607d27bb4f010988f1a4258bd72c166192657f4ebd69d4d52c9e29853
                                                                                                                                  • Opcode Fuzzy Hash: 544524cec9546ea36bc4e94f8220565d9f22bb934f6a671a6c3c44f3b8ad2792
                                                                                                                                  • Instruction Fuzzy Hash: 8C31F4B1D0125DDFDF14DFA9D894BDEBBB5AF88310F14842AE405AB240C774A945CB90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 011FD654 Relevance: .1, Instructions: 77COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602478474.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_11fd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 3919f2f5671235c8dde3332e09dd7a5e82ba7c7041517aef187580972007aa59
                                                                                                                                  • Instruction ID: bed0aeb480f78a90adc5e0d3080985ba73ff86de7c0f34eaf565c64fe2b3fb12
                                                                                                                                  • Opcode Fuzzy Hash: 3919f2f5671235c8dde3332e09dd7a5e82ba7c7041517aef187580972007aa59
                                                                                                                                  • Instruction Fuzzy Hash: 1721F7B5504240DFDF09DF54E9C4B26BB66FB88328F24C65DEA490F246C336D416CB62
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0681105C Relevance: .1, Instructions: 75COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614608204.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6810000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1e5c9e713bcae3656ad9073cde07d975662cb0408ea9fe2ad556c33f7110ead7
                                                                                                                                  • Instruction ID: 88baaf4094544e7e4d47005d12f68a300731d2c08e8d7a8d13349afa32a6ee2c
                                                                                                                                  • Opcode Fuzzy Hash: 1e5c9e713bcae3656ad9073cde07d975662cb0408ea9fe2ad556c33f7110ead7
                                                                                                                                  • Instruction Fuzzy Hash: 1D21F130B04255AFDB44DB79DC4896EFBFAEF95210B1494AAE619CB2A1DB70CC00C7A1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 011FD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602478474.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_11fd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 74668403a07749daacfeeccc1338f29d55dd30f1180a94199d9a2887ed447885
                                                                                                                                  • Instruction ID: 9f16475e8b028b9497dc1b0d07d8d411869a88a4ef9de53c42c41dcd4abe1c9b
                                                                                                                                  • Opcode Fuzzy Hash: 74668403a07749daacfeeccc1338f29d55dd30f1180a94199d9a2887ed447885
                                                                                                                                  • Instruction Fuzzy Hash: 022133B1204304DFDF09DF44E9C4B66BB65FB84324F24C16DDA090BA06C33AE446CBA2
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0120D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602513881.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_120d000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: ebdb20a944953cb0bf864991758151252a8a1b655af53ce8760cb6a8e3ad50b1
                                                                                                                                  • Instruction ID: 426cdea966ce7847bc61a29a3d98c6459718a85aab521ca94a8096f25c562487
                                                                                                                                  • Opcode Fuzzy Hash: ebdb20a944953cb0bf864991758151252a8a1b655af53ce8760cb6a8e3ad50b1
                                                                                                                                  • Instruction Fuzzy Hash: 60213075214308DFDB12DFA4D884B12BB62EB84324F20C66DD90D4B283C37AD407CA62
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06838A8C Relevance: .1, Instructions: 64COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 7436eb14545b492b59e1f457e4c1e8757baec551ee164d322636925af25f445f
                                                                                                                                  • Instruction ID: c1e9f4301c07b0a332b5566b6fbf4dc8803b7eb63f106ce3a1b067044480c576
                                                                                                                                  • Opcode Fuzzy Hash: 7436eb14545b492b59e1f457e4c1e8757baec551ee164d322636925af25f445f
                                                                                                                                  • Instruction Fuzzy Hash: E02103B1D00359DFDB24DFA9C995B9EBBF9AF48310F24842AE405FB240DB749945CBA0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06836E90 Relevance: .1, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 410fe4bc8c4d27a3776e5f3477661e8fe8b0268c640a0c4d48ba6c95f473d3dd
                                                                                                                                  • Instruction ID: c80986ded95df359a480178e8925f15f8879c88f2469d36a61cc9275dd666425
                                                                                                                                  • Opcode Fuzzy Hash: 410fe4bc8c4d27a3776e5f3477661e8fe8b0268c640a0c4d48ba6c95f473d3dd
                                                                                                                                  • Instruction Fuzzy Hash: AE0104323042A83FCB514A99AC01FBF3FE9DB8D165F184026FB84C6281C425C8159BA0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 011FD64F Relevance: .1, Instructions: 58COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602478474.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_11fd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 8909ec2b792de7b4a37c7002b6ac9112f662ada79f8edc4e645600094c6308c9
                                                                                                                                  • Instruction ID: f0e8de50c81090a2aefaa266af134e401df3f24dd7efb395185694deaf2c056b
                                                                                                                                  • Opcode Fuzzy Hash: 8909ec2b792de7b4a37c7002b6ac9112f662ada79f8edc4e645600094c6308c9
                                                                                                                                  • Instruction Fuzzy Hash: 1621C076504680DFCF06CF54D9C4B16BF62FB88318F2486A9DA480F257C33AD416CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683BC5F Relevance: .1, Instructions: 57COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 99d209eac144e9fae5f8c5dbf4dcd0a6ce297042cae4ba2011d3465c3ec74145
                                                                                                                                  • Instruction ID: 14b6faa54616e9b65dccdbae01aabc3dfd178434676b719f8e553ed7cf44dd09
                                                                                                                                  • Opcode Fuzzy Hash: 99d209eac144e9fae5f8c5dbf4dcd0a6ce297042cae4ba2011d3465c3ec74145
                                                                                                                                  • Instruction Fuzzy Hash: A301A1312117019FC78AF738E8549AE7BA3FEC5169704481DD6478BA50CF366D0687A1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 011FD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602478474.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_11fd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a22cb2ac7e8ca2eec31ed2fac24db7ed4a2581669a60e4f58f51b4d2525f63fe
                                                                                                                                  • Instruction ID: 11294c8032193ee38af5da45aaccb310ea7ee6a7616454f5eefaf9f60143ab32
                                                                                                                                  • Opcode Fuzzy Hash: a22cb2ac7e8ca2eec31ed2fac24db7ed4a2581669a60e4f58f51b4d2525f63fe
                                                                                                                                  • Instruction Fuzzy Hash: CB11CD76504280CFCF06CF44D9C0B66BF61FB84224F2886ADD9090AA16C33AE456CBA2
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0120D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602513881.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_120d000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e5598050a76b1bbb03a66d3720a50d8acb638a64c40f8b375dc4a1e083d93ad6
                                                                                                                                  • Instruction ID: 60e229301e756736f55689afd90bdde77ae126b67a388d51cae134007602efe1
                                                                                                                                  • Opcode Fuzzy Hash: e5598050a76b1bbb03a66d3720a50d8acb638a64c40f8b375dc4a1e083d93ad6
                                                                                                                                  • Instruction Fuzzy Hash: 4911BE75504284CFCB12CF54D5C4B15BB62FB44324F24C6A9D9494B697C33AD44ACB62
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683C499 Relevance: .0, Instructions: 50COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 991a3c1a43a97db26571645cd2df1f57f90d7bf82381c15754abed1d41ac348d
                                                                                                                                  • Instruction ID: 37b6dc8165e2ebc435d5d269eef9becc839cd5b803ef84a4d5c93892c3d58ecb
                                                                                                                                  • Opcode Fuzzy Hash: 991a3c1a43a97db26571645cd2df1f57f90d7bf82381c15754abed1d41ac348d
                                                                                                                                  • Instruction Fuzzy Hash: 1401A1342043048FD315BB64E45465A7BE3FFCA229B14862AD54787685CF78AD0ACB92
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06838350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: c40683eaedcd46e620392ba704ce45c6b4dfb79356981ec34118cf5b4e1476aa
                                                                                                                                  • Instruction ID: c892f6820b2f56952784538ab9d9b0daf37cd1f22a271796cb2f5fe244b1cf1b
                                                                                                                                  • Opcode Fuzzy Hash: c40683eaedcd46e620392ba704ce45c6b4dfb79356981ec34118cf5b4e1476aa
                                                                                                                                  • Instruction Fuzzy Hash: F601B172B102199BDF10DAA9EC44ABFFBBAFBC8211B14403AE604D3240DF30990587A0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 59cfeb9f7e6d2e506544246a417a2819fdfb882680e1f93af6c24dbbcfed1c6b
                                                                                                                                  • Instruction ID: 0331b9f346af485a3a112c5e699a149aaea0c409581c7878aa351fcf310ac3f2
                                                                                                                                  • Opcode Fuzzy Hash: 59cfeb9f7e6d2e506544246a417a2819fdfb882680e1f93af6c24dbbcfed1c6b
                                                                                                                                  • Instruction Fuzzy Hash: 4901BC312107068FC78AB738E45492E7AA3FEC01A9744882DDA078B600DF767C478792
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 011FDA75 Relevance: .0, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602478474.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_11fd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e8202e7c773b5d5ee29808b74f09bee0846b51b153c665d5ed930c8d7fb26cbc
                                                                                                                                  • Instruction ID: 1515fe93cf642785753285ab33fa7568f84463d8e2acb6f2606c95c6fa9a3a96
                                                                                                                                  • Opcode Fuzzy Hash: e8202e7c773b5d5ee29808b74f09bee0846b51b153c665d5ed930c8d7fb26cbc
                                                                                                                                  • Instruction Fuzzy Hash: 9501F73100C7449BEB185F55DD84B37BF98DF41625F18C45EEE084A182C778D844C776
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683B358 Relevance: .0, Instructions: 43COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6339f43b5e9772ed52b8c480322379390cabbae20c64cccafaffe42fd59f381e
                                                                                                                                  • Instruction ID: 184e5b637cd49a4a49f80ffd09ce1a0e02d5e1799db735a349b4c3e0f993eaf0
                                                                                                                                  • Opcode Fuzzy Hash: 6339f43b5e9772ed52b8c480322379390cabbae20c64cccafaffe42fd59f381e
                                                                                                                                  • Instruction Fuzzy Hash: 1801DF30A16349EFCB05FBB8E89499CBFB2BF45204B1441AAE905A7242DB341E45CBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 892e173bc72f6580dc79770787728db216d1fee17d36e7a9e635772e08599e4a
                                                                                                                                  • Instruction ID: cf68f700a166f4c5c9914c48d24800bead267c521ae15dd55b559f94e2332e4a
                                                                                                                                  • Opcode Fuzzy Hash: 892e173bc72f6580dc79770787728db216d1fee17d36e7a9e635772e08599e4a
                                                                                                                                  • Instruction Fuzzy Hash: 530192342003058FD315BF65D05465A7BE3FBC5715B108A2DD54787644CF74AC0ACB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06835508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 04dee41a01d8e45ef222cfc82035ea06f21227e40c2129ce5a45f9a43f018cf4
                                                                                                                                  • Instruction ID: f0c07df360c5a1aaea2d55a6c598870bdc5d64df7554279be790ccdbc6776995
                                                                                                                                  • Opcode Fuzzy Hash: 04dee41a01d8e45ef222cfc82035ea06f21227e40c2129ce5a45f9a43f018cf4
                                                                                                                                  • Instruction Fuzzy Hash: BE01F430A15722CFDBA88A35E40462BB7F3BF84209704883CE503C2614DB75F481CBC2
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683E8B0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: ebb9f6a26a570497643e59288363f59b936238ceed91ca7eee6dd7c7fd4af797
                                                                                                                                  • Instruction ID: 6fb544e8680ad25c2a4d640872babf3aa24759af365ccb516a445033097f2d6b
                                                                                                                                  • Opcode Fuzzy Hash: ebb9f6a26a570497643e59288363f59b936238ceed91ca7eee6dd7c7fd4af797
                                                                                                                                  • Instruction Fuzzy Hash: 2B01F4387043049FCB02EF74D8149997FB6EF8A21070484EAE901CB362DB36CD02CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06838F43 Relevance: .0, Instructions: 39COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 5aec2639be45794ad6041c36657cba83e0d55db3c7f0340c03bfb3a1e41ef4cf
                                                                                                                                  • Instruction ID: c5dddd1ce6e55e7a1dbb452f7db04b737957624ad219482d1b2d8bcbd700a4b5
                                                                                                                                  • Opcode Fuzzy Hash: 5aec2639be45794ad6041c36657cba83e0d55db3c7f0340c03bfb3a1e41ef4cf
                                                                                                                                  • Instruction Fuzzy Hash: 1901C4B4D0421DEFDB50DFA8D9467AEBBB5EB08301F1081A9E915E7340D7745A41DF90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06838F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: b904d6d0c16dcbb932a90add647ecd9494808a095f40d241d08ec12d83b907d2
                                                                                                                                  • Instruction ID: 94d357a417a06ca9c88e13d4cf30c652b9ac08bfa982e75a17501266a45a132c
                                                                                                                                  • Opcode Fuzzy Hash: b904d6d0c16dcbb932a90add647ecd9494808a095f40d241d08ec12d83b907d2
                                                                                                                                  • Instruction Fuzzy Hash: B901C0B4D0421EEFDB54DFA9D9456AEBBF5BB48301F1081AAE915A3340E7740A40CF90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683C170 Relevance: .0, Instructions: 36COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 2006fbb9ff1c6cf27813937589353003bf05cae2f25b25d4438e7c4a96745e44
                                                                                                                                  • Instruction ID: 6c87fbe15ca8cccd810ae73b1f09ef09232a94f5a1f84e4074f970a5a5a917cb
                                                                                                                                  • Opcode Fuzzy Hash: 2006fbb9ff1c6cf27813937589353003bf05cae2f25b25d4438e7c4a96745e44
                                                                                                                                  • Instruction Fuzzy Hash: 2201A435606B009FD715EF25E458552BFF7FF48315704862AE587C3A51CB38A90ACF94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06833EC8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1b074b94774ce0256d5d84c259995ac80fd32af60bf323a15b36410b6d8a2e77
                                                                                                                                  • Instruction ID: a470d2fea37cca56e764bf20755f81a2f4b72c13ec130107675533b3b8491311
                                                                                                                                  • Opcode Fuzzy Hash: 1b074b94774ce0256d5d84c259995ac80fd32af60bf323a15b36410b6d8a2e77
                                                                                                                                  • Instruction Fuzzy Hash: EEF090313007114FC618E769E890D6E77E7BBC9651310892DE84A8B354EF30ED0683E1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 011FDA74 Relevance: .0, Instructions: 36COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1602478474.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_11fd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 02b02be9224e442af63b64516fbc412ef70e644169e95c84c67da8ac4037a337
                                                                                                                                  • Instruction ID: e4166dd2b1732e58cdec0c4d5f296c9b35219641f7c4f4cabc929c5835627956
                                                                                                                                  • Opcode Fuzzy Hash: 02b02be9224e442af63b64516fbc412ef70e644169e95c84c67da8ac4037a337
                                                                                                                                  • Instruction Fuzzy Hash: 46F062714083449FEB158E1ADD84B63FF98DB41635F18C45EEE085A286C778A844CBB5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068367C8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 3a4e2c215842c8b28a16675e7ddfb6da9cc7f364a3903f3ae80b15439f1c759a
                                                                                                                                  • Instruction ID: 02c5480ca2f72c938d5ade763140438fd3ef28dd9bf5985345416a689df8f7af
                                                                                                                                  • Opcode Fuzzy Hash: 3a4e2c215842c8b28a16675e7ddfb6da9cc7f364a3903f3ae80b15439f1c759a
                                                                                                                                  • Instruction Fuzzy Hash: 51F02431B40300AFC7209A28EC01F9A7FE4AB86715F048266F710CB1E2E7B1E846D780
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683C110 Relevance: .0, Instructions: 35COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 65c4381a4a2d27b5ae1113b64955adf80117fd5ad29548bb142713250b0052a2
                                                                                                                                  • Instruction ID: 043c5ee19ae572b963c1b7cd1db463a1c4666890cc210b5243a699780defa7b7
                                                                                                                                  • Opcode Fuzzy Hash: 65c4381a4a2d27b5ae1113b64955adf80117fd5ad29548bb142713250b0052a2
                                                                                                                                  • Instruction Fuzzy Hash: 0AF0BB302197D05FC312E738E814A9B7FE79F82119B08055EF142CB253CB655D05C7A2
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06836EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a0a613f7ae9456b66c2dc6024d7b5e1fbdcd554998dba9bb2a63a2a19b68df7f
                                                                                                                                  • Instruction ID: bd1f4fa9f7656715d43735879b09aacf7c34a9418dcacc8b19724307328ec460
                                                                                                                                  • Opcode Fuzzy Hash: a0a613f7ae9456b66c2dc6024d7b5e1fbdcd554998dba9bb2a63a2a19b68df7f
                                                                                                                                  • Instruction Fuzzy Hash: 76F012662041E83F8B554E9A5C10DFB7FEDDA8E1657084156FFA8D2141C429C921ABB0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06838FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: bab78e1ecafb2a4729290532612e48bed31f31922d632eb7c8f0a8b47d1d6265
                                                                                                                                  • Instruction ID: 556fe7d7ff25f66583cff47ebd7f26b5bce6d2a6aa503d0b35d58ae2a5930619
                                                                                                                                  • Opcode Fuzzy Hash: bab78e1ecafb2a4729290532612e48bed31f31922d632eb7c8f0a8b47d1d6265
                                                                                                                                  • Instruction Fuzzy Hash: 80F0A9B0C0826DDFDB01CFA0C8165AEBFB0EB1A301F004186E446EB250E6784A01CB80
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683ACB8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1ad297cb385c6be186fc5f9ad62afaa5931bef21e428af7eb72b1a87a584a6db
                                                                                                                                  • Instruction ID: 35c56021092e1282fd37e7c6c84dbca7d7993b7fadf0d9bc46f77ca09c7e0c49
                                                                                                                                  • Opcode Fuzzy Hash: 1ad297cb385c6be186fc5f9ad62afaa5931bef21e428af7eb72b1a87a584a6db
                                                                                                                                  • Instruction Fuzzy Hash: FDF027767092A08FC7173778A8240AD3FB2EACA65630800DFE287CF251CB644903C3E2
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683ADE9 Relevance: .0, Instructions: 33COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 746f2e378681587abd61fb3d5257475fae62fe381f726b429810c0d6dbda1f19
                                                                                                                                  • Instruction ID: 508d7bd00cc5964dede8723e3fb4fa749f94a14748b684ff7acfd5fecc32c902
                                                                                                                                  • Opcode Fuzzy Hash: 746f2e378681587abd61fb3d5257475fae62fe381f726b429810c0d6dbda1f19
                                                                                                                                  • Instruction Fuzzy Hash: 49F0A7353012419FC314B75DA454B9BBFEAFFCA259B44016EE31ACB642CA61184687A5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06838340 Relevance: .0, Instructions: 32COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e4faf28abda156ef458772d69b1220a3d7427260fef70461a4e865fbe8f7f507
                                                                                                                                  • Instruction ID: 30d4543b4d2c43460c804f62334e838d864b472a9bef154ba38042aefffee824
                                                                                                                                  • Opcode Fuzzy Hash: e4faf28abda156ef458772d69b1220a3d7427260fef70461a4e865fbe8f7f507
                                                                                                                                  • Instruction Fuzzy Hash: DDF08272B142695B8B20DA69DC45ABFBFF9ABD9151F08442AE554D3200EB30940587A2
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683B368 Relevance: .0, Instructions: 32COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 60e8146458f91159dae844c2ffeda4b02dafb6df01d29d59ddf1fc7bf17869dd
                                                                                                                                  • Instruction ID: 370709988212107385b141ab16b1fe5b838d014cf358e69989e5b77c8a696ea4
                                                                                                                                  • Opcode Fuzzy Hash: 60e8146458f91159dae844c2ffeda4b02dafb6df01d29d59ddf1fc7bf17869dd
                                                                                                                                  • Instruction Fuzzy Hash: 67F04970A1130DEFCB08FFB8E99499CBBB2FF84215B2441A9C906A7355EB345E05DB85
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 068354F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 27882178e14de6610db8ad4def70d57c51b47917a8a061ea1e26dca7db147193
                                                                                                                                  • Instruction ID: e0792325ac7d0ff91e1ca2c714fb686432c739fa1b6698c9559644ccaf12cd4d
                                                                                                                                  • Opcode Fuzzy Hash: 27882178e14de6610db8ad4def70d57c51b47917a8a061ea1e26dca7db147193
                                                                                                                                  • Instruction Fuzzy Hash: 64F024319007A18FDBA4CE62D50176FBBB2BF80319F08C86CD04286928C774F485CF80
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: dc50dfcc0e49d530bbdc5686749c01b662aa9466ec7015850b4be21e51d28b1c
                                                                                                                                  • Instruction ID: c7ffcf25f460999d24726d275d6e19ad2fc8ce007a5db351c8fc9cd2c6e0b32d
                                                                                                                                  • Opcode Fuzzy Hash: dc50dfcc0e49d530bbdc5686749c01b662aa9466ec7015850b4be21e51d28b1c
                                                                                                                                  • Instruction Fuzzy Hash: 20E09235301201AFC3143A5AA448A9EBADAEBCA6A5B00402EE30EC7241CA611C0687A5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: fc8f412306d6d81da264ea135c7ae77fe43e596cfb080d5680f958b4097b38b3
                                                                                                                                  • Instruction ID: be3cff7a059029977072334a2647caa0d87b4e2cad4b33657425e8fa8afb4e69
                                                                                                                                  • Opcode Fuzzy Hash: fc8f412306d6d81da264ea135c7ae77fe43e596cfb080d5680f958b4097b38b3
                                                                                                                                  • Instruction Fuzzy Hash: B9F09A34505B058FD725FF26E448512BBF7FB88311700C62EE88B82A10DB78B90ACF84
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683CC38 Relevance: .0, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: adffa48e8bd2135689d204d914f3218c4103576dc99d4ed241c07d25ad984727
                                                                                                                                  • Instruction ID: d688a5e2015132f4614636ce8cc5462d8adae097a9b5c3b57879a571f88ad816
                                                                                                                                  • Opcode Fuzzy Hash: adffa48e8bd2135689d204d914f3218c4103576dc99d4ed241c07d25ad984727
                                                                                                                                  • Instruction Fuzzy Hash: 6BE0D8311227549FC752FA18FC10ADB3F71EB65514B014155E1008B646CF300D068FF1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683B500 Relevance: .0, Instructions: 26COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 12d1734738227a537ac15098ffae8c90826360aa4aa075178d19878f46228f53
                                                                                                                                  • Instruction ID: a2a411630031c226bae373edf61a3b04cb7b4c9b5fb7ac0a145dd44ce60eaa00
                                                                                                                                  • Opcode Fuzzy Hash: 12d1734738227a537ac15098ffae8c90826360aa4aa075178d19878f46228f53
                                                                                                                                  • Instruction Fuzzy Hash: 9CF01C35D0120CAFCB01EFB4D9488CDBFB9EB44200F1042A6E845E2245EB345F55DB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 041a999637eb73343fac889e1647a83350526cb80500845f8c14664e96ed3de4
                                                                                                                                  • Instruction ID: 26890d15469c7911db815efa2b5d81212ddc49c47e8b56eeec16a42a6dbb6183
                                                                                                                                  • Opcode Fuzzy Hash: 041a999637eb73343fac889e1647a83350526cb80500845f8c14664e96ed3de4
                                                                                                                                  • Instruction Fuzzy Hash: B5E065303047554FC711B72DE418B9E7BE6EFC5615F04052EE64787646CBA56C068791
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683CE88 Relevance: .0, Instructions: 25COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 44fd677f952273b7c7d5b7abb3a94dd779b339f97e45bbd3d6e640b6688d9850
                                                                                                                                  • Instruction ID: 7e627694c545cfc052c0226dc508c1c4fceea29bdec008a108652a6ee0cf30ce
                                                                                                                                  • Opcode Fuzzy Hash: 44fd677f952273b7c7d5b7abb3a94dd779b339f97e45bbd3d6e640b6688d9850
                                                                                                                                  • Instruction Fuzzy Hash: AAE02670036399FFCB23F324F924ADA3FB9AF52614B068199E9019760ACB340C41CBE1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06835698 Relevance: .0, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 733dd43166d1372626672a4d421c38fe9408b1d4e18c3eafa3abc0f8455d331c
                                                                                                                                  • Instruction ID: 77658c070b0b4c8dfe51cc8b01243d655e55bfc5c149ff19fabfc67b291f6c8e
                                                                                                                                  • Opcode Fuzzy Hash: 733dd43166d1372626672a4d421c38fe9408b1d4e18c3eafa3abc0f8455d331c
                                                                                                                                  • Instruction Fuzzy Hash: 44E09AB210D2418FD3059BA4A80988A3BE4EB62324B0188BEF140CA096E6799443CA96
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683F910 Relevance: .0, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 70abe7555daf3edc51d69d65292cdad402b9c75d5e17166161c7cd99675a4651
                                                                                                                                  • Instruction ID: 3c291fab58dfe7396f4eded959a0ad3154a700126c6f06a4fc5cc8af3356534d
                                                                                                                                  • Opcode Fuzzy Hash: 70abe7555daf3edc51d69d65292cdad402b9c75d5e17166161c7cd99675a4651
                                                                                                                                  • Instruction Fuzzy Hash: ADE0CD246053246FC705A56D94201EB7B9B8EDA1143194067E740CB106CE254C0747D1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d76d427e41d1fba3f1663b5c556e54547f1cc6f65514b4581e248c445efcf760
                                                                                                                                  • Instruction ID: bbb3f5d00a20c0e5c5a972815a65061c20e727b1a51a0bd00352efc4bfa9a207
                                                                                                                                  • Opcode Fuzzy Hash: d76d427e41d1fba3f1663b5c556e54547f1cc6f65514b4581e248c445efcf760
                                                                                                                                  • Instruction Fuzzy Hash: 79E0DF71A09308EFCB02EB68E85089D3BB2AA9211172482DBD809D7291D6300F168B92
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 5982237686b726c9afd465f558e1c17bea1d2aecd3da5c6505e42bc3e79ef010
                                                                                                                                  • Instruction ID: df97715369a961b199624ddfc43b7e03ddd08020a88ed6b639033a70f6430843
                                                                                                                                  • Opcode Fuzzy Hash: 5982237686b726c9afd465f558e1c17bea1d2aecd3da5c6505e42bc3e79ef010
                                                                                                                                  • Instruction Fuzzy Hash: 89D05B313106295787053769F4184AF77ABEBC5572304002EE70BCB240CF651D03C7E6
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683E8F8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1e48cfe24d841bd97ed845b669083f87bdc464d905bbf8c8ce1acc7af3501e5d
                                                                                                                                  • Instruction ID: d42d0bbff98d30d855374fde7e8ce806d8ad4c6bab49b4fca3ca723809be43cf
                                                                                                                                  • Opcode Fuzzy Hash: 1e48cfe24d841bd97ed845b669083f87bdc464d905bbf8c8ce1acc7af3501e5d
                                                                                                                                  • Instruction Fuzzy Hash: 48E0E239225144AFC702DB68C8408953F7AAF6A2153095086F6408F672C7319926DB60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 200e2a9b9b01617780b80467099ac14a7e9029fb58074bed6f0afc5feb92d153
                                                                                                                                  • Instruction ID: 302537a9ebccb2f7dee2782f6143902ea007c403aa257fef707ac437af77a59a
                                                                                                                                  • Opcode Fuzzy Hash: 200e2a9b9b01617780b80467099ac14a7e9029fb58074bed6f0afc5feb92d153
                                                                                                                                  • Instruction Fuzzy Hash: B2E09A75E0020CEFCB40EFE4D9448DDBBB9EB48200F1082A6D905A3200EB345F55DF80
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683E280 Relevance: .0, Instructions: 18COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d2e6c787486b7eed9b7bde81edb5042457749608ae8623bafbff36f40b88306b
                                                                                                                                  • Instruction ID: 3069c4420aa8c49dbf480f346c5bbae51380366a21fb2053d00bd9c527970383
                                                                                                                                  • Opcode Fuzzy Hash: d2e6c787486b7eed9b7bde81edb5042457749608ae8623bafbff36f40b88306b
                                                                                                                                  • Instruction Fuzzy Hash: 36E0863012071BCFC758FA04FE26B48B7B2F759B18F020159D5125B668CB701A558FC5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 0387ccadeeec630ebe7e38951801795367308433f61e9e6a4a067d47271afe5c
                                                                                                                                  • Instruction ID: 99cd417fdcd42fc5d85e22338ecd1b430fd5bd4d5b1c059420ecbdf2cfecb1ac
                                                                                                                                  • Opcode Fuzzy Hash: 0387ccadeeec630ebe7e38951801795367308433f61e9e6a4a067d47271afe5c
                                                                                                                                  • Instruction Fuzzy Hash: 01D05E71A0030CFFCF41EFA8E91099DB7F9EB85214B1085ADD909E7200EB312F009B91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683F8EB Relevance: .0, Instructions: 14COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: f991b9b90fc8106735422177886999dd486d76411e32cd724edb7d683aa47879
                                                                                                                                  • Instruction ID: 273f1b880ca0f1d9f6234ba623caa6eb635e9c3882aaeb9a211fac2440d437f3
                                                                                                                                  • Opcode Fuzzy Hash: f991b9b90fc8106735422177886999dd486d76411e32cd724edb7d683aa47879
                                                                                                                                  • Instruction Fuzzy Hash: 30C012B2B442200B0288B6AC701006E66D792D82F3395012FE60EC7348CEA0AC628380
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 06833721 Relevance: .0, Instructions: 10COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 3c8935d40b05d0df5902178d7b00da2f3a532575aa586f93ad68911b3f7ae027
                                                                                                                                  • Instruction ID: 830f0d4ba40fe52b711b2d37ddc70b2452d4e2ab08ffef5d7183a2007d8a10ef
                                                                                                                                  • Opcode Fuzzy Hash: 3c8935d40b05d0df5902178d7b00da2f3a532575aa586f93ad68911b3f7ae027
                                                                                                                                  • Instruction Fuzzy Hash: C5C092B69512018BC708A6509C43FE227E2D3BDA48F6B8122E65096202D66C611A84A5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0683DFD1 Relevance: .0, Instructions: 9COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1614647184.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: ae22e5b371ccaf497ee9d2e14b6336cb97bf165d28f686792da69daa60855148
                                                                                                                                  • Instruction ID: 0945b1c49f0599fdc919039fa600122bae4b2ad34a6eb3560b70456e5de702e6
                                                                                                                                  • Opcode Fuzzy Hash: ae22e5b371ccaf497ee9d2e14b6336cb97bf165d28f686792da69daa60855148
                                                                                                                                  • Instruction Fuzzy Hash: 7FC04C3155B2905EDF065764980D4853E165F9373571541CAA2419A066D6510415CBA6
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 07050359 Relevance: .3, Instructions: 264COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1621149627.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7050000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 55cab1e973f9947f0f79e6b299ec3e2a8915f883176d55b3c226eb45cf681fd3
                                                                                                                                  • Instruction ID: 2b3e71166f362ea832834ed38fa63705335d3b4887c4c18f663d9330b6ba5155
                                                                                                                                  • Opcode Fuzzy Hash: 55cab1e973f9947f0f79e6b299ec3e2a8915f883176d55b3c226eb45cf681fd3
                                                                                                                                  • Instruction Fuzzy Hash: 24C19074E01219CFDB68DFA9D850A9DBBB2BF89300F2085AAD419AB354DB355D82CF41
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07050368 Relevance: .3, Instructions: 257COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1621149627.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7050000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 997fd0a176ee59568a9763896bdd984e529648dd5dd625d07a6f5766aa1f0c9e
                                                                                                                                  • Instruction ID: cd84d088b86b6481b1d02ed8110c692d5c1124291fccdd929bd5ef6bb24610bb
                                                                                                                                  • Opcode Fuzzy Hash: 997fd0a176ee59568a9763896bdd984e529648dd5dd625d07a6f5766aa1f0c9e
                                                                                                                                  • Instruction Fuzzy Hash: F1C18F74E01219CFDB68DFA9D850B9DBBB2BF89300F2085AAD419AB354DB355D82CF41
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07051614 Relevance: .0, Instructions: 25COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1621149627.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7050000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e19d8c4a00e79383245398a255c014a36c7f41e304f6ce28c4e4d68bf596e45c
                                                                                                                                  • Instruction ID: d395a9b484f2ab0a905d645207c95ca06049fb341eb8f60e462b1c63a8e8a205
                                                                                                                                  • Opcode Fuzzy Hash: e19d8c4a00e79383245398a255c014a36c7f41e304f6ce28c4e4d68bf596e45c
                                                                                                                                  • Instruction Fuzzy Hash: EDF0C9B194421DCBDB208F60D8997BEBBB0BB0A309F146759D41673190CB744684CF84
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%