Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Docs.exe

Overview

General Information

Sample name:Docs.exe
Analysis ID:1432055
MD5:28da32c1cf8ead709f4888f84a697c28
SHA1:45122f3c46fb3400cc6710a830a259da54b07298
SHA256:c10f8bc18521b4c90063ae5fc1e0e95e40ed35be3758d90f597d7cc1e3853ade
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Docs.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\Docs.exe" MD5: 28DA32C1CF8EAD709F4888F84A697C28)
    • Docs.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\Docs.exe" MD5: 28DA32C1CF8EAD709F4888F84A697C28)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alkuwaiti.com", "Username": "electronics@alkuwaiti.com", "Password": "Ele@1804"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2996631078.0000000003461000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.2996631078.0000000003461000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Docs.exe.48a3e18.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Docs.exe.48a3e18.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Docs.exe.48a3e18.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3172f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317b9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3184b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318b5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31927:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319bd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                2.2.Docs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  2.2.Docs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 50.87.219.149, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Docs.exe, Initiated: true, ProcessId: 7576, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Docs.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alkuwaiti.com", "Username": "electronics@alkuwaiti.com", "Password": "Ele@1804"}
                    Multi AV Scanner detection for submitted file
                    Source: Docs.exeReversingLabs: Detection: 87%
                    Source: Docs.exeVirustotal: Detection: 74%Perma Link
                    Machine Learning detection for sample
                    Source: Docs.exeJoe Sandbox ML: detected
                    Source: Docs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: Docs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 4x nop then jmp 075D414Ah0_2_075D37D3
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 50.87.219.149:587
                    Source: Joe Sandbox ViewIP Address: 50.87.219.149 50.87.219.149
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 50.87.219.149:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.alkuwaiti.com
                    Source: Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.alkuwaiti.com
                    Source: Docs.exe, 00000002.00000002.2990281879.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2990281879.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: Docs.exe, 00000002.00000002.2990281879.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2990281879.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: Docs.exe, 00000002.00000002.2996631078.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Docs.exeString found in binary or memory: http://weather.yahooapis.com/forecastrss?w=4118
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Docs.exeString found in binary or memory: http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648
                    Source: Docs.exeString found in binary or memory: http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmp, Docs.exe, 00000000.00000002.1810817443.0000000005B50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Docs.exe, 00000002.00000002.2990281879.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.3012553587.0000000006BFD000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: Docs.exe, 00000002.00000002.2990281879.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.3012553587.0000000006BFD000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: Docs.exeString found in binary or memory: http://xml.weather.yahoo.com/ns/rss/1.0
                    Source: Docs.exe, 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Docs.exe, 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: Docs.exe, 00000002.00000002.2996631078.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: Docs.exe, 00000002.00000002.2996631078.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, oAKy.cs.Net Code: CHgRvKS
                    Source: 0.2.Docs.exe.48de838.4.raw.unpack, oAKy.cs.Net Code: CHgRvKS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Docs.exe.48a3e18.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.Docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Docs.exe.48de838.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Docs.exe.48de838.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.Docs.exe.2bb3bc8.0.raw.unpack, LoginForm.csLarge array initialization: : array initializer size 33603
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0107DDCC0_2_0107DDCC
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075302E00_2_075302E0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075341E80_2_075341E8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075311900_2_07531190
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_07533ED00_2_07533ED0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0753F7300_2_0753F730
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075334910_2_07533491
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075383780_2_07538378
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075332580_2_07533258
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0753324A0_2_0753324A
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075302D20_2_075302D2
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0753F2F80_2_0753F2F8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075351500_2_07535150
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075341D80_2_075341D8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075320300_2_07532030
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075320200_2_07532020
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075310A00_2_075310A0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_07531E3A0_2_07531E3A
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_07532ED80_2_07532ED8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_07533EC10_2_07533EC1
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0753EEC00_2_0753EEC0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_07532EE80_2_07532EE8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0753EEB80_2_0753EEB8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075368B80_2_075368B8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075368AA0_2_075368AA
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075D14900_2_075D1490
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075D0ACF0_2_075D0ACF
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075D0AE00_2_075D0AE0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075D58B00_2_075D58B0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_017EE6A92_2_017EE6A9
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_017E4AA02_2_017E4AA0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_017E3E882_2_017E3E88
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_017E41D02_2_017E41D0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FA65E82_2_06FA65E8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FA55982_2_06FA5598
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FA7D782_2_06FA7D78
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FAB2302_2_06FAB230
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FA30482_2_06FA3048
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FAC1982_2_06FAC198
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FA76982_2_06FA7698
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FA5CE52_2_06FA5CE5
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FAE3B02_2_06FAE3B0
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FA00402_2_06FA0040
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_06FA001E2_2_06FA001E
                    Source: Docs.exe, 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4548b61d-822f-464b-a714-a9778dc216a9.exe4 vs Docs.exe
                    Source: Docs.exe, 00000000.00000002.1806967932.0000000002B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Docs.exe
                    Source: Docs.exe, 00000000.00000002.1810375337.00000000054C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Docs.exe
                    Source: Docs.exe, 00000000.00000002.1813016713.000000000A1B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Docs.exe
                    Source: Docs.exe, 00000000.00000002.1806967932.0000000002DC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4548b61d-822f-464b-a714-a9778dc216a9.exe4 vs Docs.exe
                    Source: Docs.exe, 00000000.00000002.1807736148.000000000453E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Docs.exe
                    Source: Docs.exe, 00000000.00000002.1805833090.0000000000E7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Docs.exe
                    Source: Docs.exe, 00000000.00000000.1746093479.000000000073A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejEhf.exe8 vs Docs.exe
                    Source: Docs.exe, 00000002.00000002.2990143900.0000000001358000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Docs.exe
                    Source: Docs.exe, 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename4548b61d-822f-464b-a714-a9778dc216a9.exe4 vs Docs.exe
                    Source: Docs.exeBinary or memory string: OriginalFilenamejEhf.exe8 vs Docs.exe
                    Source: Docs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.Docs.exe.48a3e18.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.Docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Docs.exe.48de838.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Docs.exe.48de838.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Docs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, ekKu0.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, vKf1z6NvS.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, ZNAvlD7qmXc.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, U2doU2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, BgffYko.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, HrTdA63.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Docs.exe.48a3e18.3.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, cPZCAoVt2erFRDjGhH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, cPZCAoVt2erFRDjGhH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, cPZCAoVt2erFRDjGhH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, cPZCAoVt2erFRDjGhH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, cPZCAoVt2erFRDjGhH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, cPZCAoVt2erFRDjGhH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, rAlbc02QxmOsojTQuK.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\Docs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Docs.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\Docs.exeMutant created: \Sessions\1\BaseNamedObjects\ecpDFacNifg
                    Source: Docs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Docs.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\user\Desktop\Docs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Docs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Docs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Docs.exeReversingLabs: Detection: 87%
                    Source: Docs.exeVirustotal: Detection: 74%
                    Source: unknownProcess created: C:\Users\user\Desktop\Docs.exe "C:\Users\user\Desktop\Docs.exe"
                    Source: C:\Users\user\Desktop\Docs.exeProcess created: C:\Users\user\Desktop\Docs.exe "C:\Users\user\Desktop\Docs.exe"
                    Source: C:\Users\user\Desktop\Docs.exeProcess created: C:\Users\user\Desktop\Docs.exe "C:\Users\user\Desktop\Docs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Docs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Docs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, rAlbc02QxmOsojTQuK.cs.Net Code: cf4GIVPOPP System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, rAlbc02QxmOsojTQuK.cs.Net Code: cf4GIVPOPP System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Docs.exe.2bb3bc8.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, rAlbc02QxmOsojTQuK.cs.Net Code: cf4GIVPOPP System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_07530BDD pushad ; retf 0_2_07530BDE
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_07530BE7 pushad ; retf 0_2_07530BE8
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_075D6F7D push FFFFFF8Bh; iretd 0_2_075D6F7F
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_017E0C3D push edi; ret 2_2_017E0CC2
                    Source: C:\Users\user\Desktop\Docs.exeCode function: 2_2_017E0C95 push edi; retf 2_2_017E0C3A
                    Source: Docs.exeStatic PE information: section name: .text entropy: 7.932093151014693
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, RFQph7Gmx5wZmZ2fnD.csHigh entropy of concatenated method names: 'IsPb1PZCAo', 'I2eb2rFRDj', 'wuKbTo2Rp9', 'eIJbjJ5PKi', 'qPXbSbWMvS', 'F7RbRsOcPw', 'cle4mvUrbVXlip4y2F', 'ymHfpHZhJaDABxbXqT', 'q49bbwUlr4', 'exsbPHPkFC'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, yQRNpRmQWNJkutLarT.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rovngbUMOe', 'qwpnB1ZEj9', 'qFHnz6OZwq', 'UHlP4p6BK3', 'YiWPbg30F3', 'A1uPnUB7yC', 'vORPP6jPlk', 'C2OBvOgSk0hnrTKYkDK'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, qvSi7RisOcPwlZCYlA.csHigh entropy of concatenated method names: 'ie43Jkuxgw', 'phd351c02j', 'YK03uNRTYi', 'isG31HFPAr', 'FIx32H2N6u', 'YIeuXixXdo', 'l8quvB03UP', 'a5NueWb6P1', 'NjFuaxsyp2', 'vEVugviecK'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, shYrPL5uqWC6yJSfE4.csHigh entropy of concatenated method names: 'Dispose', 'enxbgr3Ep6', 'oyvnp1MlRu', 'R0MGGna9Ze', 'faJbBSKSKl', 'bjKbzpJR0g', 'ProcessDialogKey', 'e8hn42Y3mj', 'jQ7nbATt69', 'FUCnnb3vbU'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, xxt5gDZa8BCPWSxVG0.csHigh entropy of concatenated method names: 'ToString', 'PN7RoGZu9R', 'mZSRp7RgiD', 'xABRtnLkWx', 'YqjRLmI94m', 'rXIRKZFFxL', 'H8FRQCPfYJ', 'sKRRCiKjen', 'JoBRqaagWX', 'VrgRrH5uD5'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, P2Y3mjg1Q7ATt69OUC.csHigh entropy of concatenated method names: 'SBvUi5L8vs', 'Dg8UprJOs7', 'QcjUtbYGqt', 'XmnULgp86b', 'p10UNaI4n3', 'QXSUKuu8s0', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, rAlbc02QxmOsojTQuK.csHigh entropy of concatenated method names: 'SVLPJ524Gw', 'pkJP96I9F5', 'zqEP58CYnJ', 'rnWPmuhpqf', 'XGgPuTZBHL', 'aRaP3ZtZLN', 'OLwP1tS1QU', 'egsP2c3MbF', 'UjdP7IlPdA', 'aMCPTEWDOW'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, b3vbUCBrv6R0bcDl26.csHigh entropy of concatenated method names: 'ksJcbdPcBf', 'Ql4cP6BCCy', 'DUdcGTja75', 'Lexc9FIdko', 'UbQc5aOs3L', 'fhwcugq8G7', 'sIGc3j0Eta', 's7iUeBbUG7', 'RDaUaU9d4R', 'fwZUgFxovg'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, bZcaLD0uKo2Rp9JIJJ.csHigh entropy of concatenated method names: 'VdwmsuItXn', 'N32mAQdxM1', 'w15mVBMVte', 'cLum0MOEai', 'F6EmSVMRn3', 'WOsmRW7y5l', 'YfYmMp5exn', 'hBVmUG6ink', 'Ig6mc1ysFd', 'VybmHciAeG'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, tVkAv962ia6mNwDn3y.csHigh entropy of concatenated method names: 'QriMTQfWw5', 'HCxMj2RNh5', 'ToString', 'TMKM9d0815', 'Du4M5EZo18', 'HgLMmvUKqR', 'wlRMu2lnSD', 'gs2M3yM17D', 'X4sM14cSVC', 'd6nM2nncSV'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, gPKii5OvqKVJBMPXbW.csHigh entropy of concatenated method names: 'MUjuwklgAB', 'qEkudQS7Tp', 'AZvmtX8Xpv', 'YI7mLqj0Ly', 'daxmKcUKfu', 'yA5mQidSoN', 'kO3mChb4NG', 'chymqJYe0Y', 'NYsmrcsBJO', 'K67my7S31a'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, orYxNxNLXwG34pPgTX.csHigh entropy of concatenated method names: 'CaeSy0LR4d', 'r1KShKipmv', 'e04SNMmy49', 'ppPSEHIifo', 'hGpSpun9XQ', 'hGpStelelJ', 'sF6SLuHRf3', 'WIMSKEqTrt', 'YmOSQb1VhW', 'LheSCiFK2C'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, jD6LUMbPYWdPHuPYK33.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cBcHNin0mZ', 'mwCHENio49', 'cuqHZY5iWu', 'wvMH6EOP9Q', 'VtlHXNQmDI', 'RM3HvJkpox', 'KXhHeBTTiR'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, SUe8pgvf60RqW55B9f.csHigh entropy of concatenated method names: 'YS0MalCl39', 'q1iMBHNRJy', 'h1sU4aKkvq', 'kbWUbJsFvv', 'URaMoQYkF0', 'oTBMhepXL8', 'zYnM8pYMPk', 'FFAMNwHHa1', 'VtAMEnGmNd', 'w0rMZpGQf6'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, eJ2ggYnoVUcV3yRKRj.csHigh entropy of concatenated method names: 'sMSIOvhKm', 'WVWs5RTdh', 'M2bALe6nx', 'iCNd5fqlW', 'HaY0rPSjs', 'i08OMxlc2', 'W3OnENGDkEoLrNrx06', 'PXAWMYMO6txLHUAsoE', 'YOrUIuH6R', 'HkVHham4k'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, WJSKSKalbjKpJR0gJ8.csHigh entropy of concatenated method names: 'T7vU9w1FFh', 'HMbU5lCemR', 'rA8UmZTm9P', 'wS0UuTfe6M', 'jSOU3Kglkl', 'jdZU1JbquA', 'Vl9U2nGCoO', 'LcJU7bRvKM', 'ytXUThYVSJ', 'IcOUjmguJM'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, kI7eRSzyL4mxWFQF33.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NuPckmUhdv', 'AiqcSQfpks', 'WjacR5QOD2', 'qf6cMlr7pd', 'EH3cUqcfVx', 'YMKcctgaVO', 'vekcHehKjn'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, cPZCAoVt2erFRDjGhH.csHigh entropy of concatenated method names: 'ALF5N0lCvm', 'F9v5EmZ43U', 'fsS5Zk8l47', 'wvK56MWTWc', 'Yoc5XsZjkk', 'fSX5vMC6MW', 'Ein5edxLc3', 'vQ55aBVpVp', 'AWB5gd7lU3', 'mg95BuHlRc'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, yApeYc8WaNB4HBkP1N.csHigh entropy of concatenated method names: 'gQykVWe2fR', 'EGKk023Omv', 'TmbkiRRxxx', 'RK6kpDrhmn', 'yANkLJNYiS', 'uQLkK5STe5', 'pWAkCowqkJ', 't8dkqA25pM', 'TgkkylljNv', 'WcFkopISbU'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, D6CxCerasCskEeJmWe.csHigh entropy of concatenated method names: 'oUT1FR94nc', 'OgJ1WYMQsy', 'HWL1IvaZEO', 'haX1syuyjD', 'RXY1wY6Fdr', 'RSP1AnR4RT', 'fHf1dsJboJ', 'VkE1VpuQhg', 'lmQ10aU1Nh', 'GOU1O7y2I7'
                    Source: 0.2.Docs.exe.47c3120.2.raw.unpack, OMn28yb4PnIYjLbooDr.csHigh entropy of concatenated method names: 'cqVcFECcu0', 'rs5cWRtN5n', 'yMPcI5qtGo', 't2lcsKcBQA', 'cE2cwnV1wN', 'nxMcAlS0NS', 'kDScdGgQID', 'LINcV8jNXq', 'GU8c0WrORo', 'hyncOTUBmq'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, RFQph7Gmx5wZmZ2fnD.csHigh entropy of concatenated method names: 'IsPb1PZCAo', 'I2eb2rFRDj', 'wuKbTo2Rp9', 'eIJbjJ5PKi', 'qPXbSbWMvS', 'F7RbRsOcPw', 'cle4mvUrbVXlip4y2F', 'ymHfpHZhJaDABxbXqT', 'q49bbwUlr4', 'exsbPHPkFC'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, yQRNpRmQWNJkutLarT.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rovngbUMOe', 'qwpnB1ZEj9', 'qFHnz6OZwq', 'UHlP4p6BK3', 'YiWPbg30F3', 'A1uPnUB7yC', 'vORPP6jPlk', 'C2OBvOgSk0hnrTKYkDK'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, qvSi7RisOcPwlZCYlA.csHigh entropy of concatenated method names: 'ie43Jkuxgw', 'phd351c02j', 'YK03uNRTYi', 'isG31HFPAr', 'FIx32H2N6u', 'YIeuXixXdo', 'l8quvB03UP', 'a5NueWb6P1', 'NjFuaxsyp2', 'vEVugviecK'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, shYrPL5uqWC6yJSfE4.csHigh entropy of concatenated method names: 'Dispose', 'enxbgr3Ep6', 'oyvnp1MlRu', 'R0MGGna9Ze', 'faJbBSKSKl', 'bjKbzpJR0g', 'ProcessDialogKey', 'e8hn42Y3mj', 'jQ7nbATt69', 'FUCnnb3vbU'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, xxt5gDZa8BCPWSxVG0.csHigh entropy of concatenated method names: 'ToString', 'PN7RoGZu9R', 'mZSRp7RgiD', 'xABRtnLkWx', 'YqjRLmI94m', 'rXIRKZFFxL', 'H8FRQCPfYJ', 'sKRRCiKjen', 'JoBRqaagWX', 'VrgRrH5uD5'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, P2Y3mjg1Q7ATt69OUC.csHigh entropy of concatenated method names: 'SBvUi5L8vs', 'Dg8UprJOs7', 'QcjUtbYGqt', 'XmnULgp86b', 'p10UNaI4n3', 'QXSUKuu8s0', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, rAlbc02QxmOsojTQuK.csHigh entropy of concatenated method names: 'SVLPJ524Gw', 'pkJP96I9F5', 'zqEP58CYnJ', 'rnWPmuhpqf', 'XGgPuTZBHL', 'aRaP3ZtZLN', 'OLwP1tS1QU', 'egsP2c3MbF', 'UjdP7IlPdA', 'aMCPTEWDOW'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, b3vbUCBrv6R0bcDl26.csHigh entropy of concatenated method names: 'ksJcbdPcBf', 'Ql4cP6BCCy', 'DUdcGTja75', 'Lexc9FIdko', 'UbQc5aOs3L', 'fhwcugq8G7', 'sIGc3j0Eta', 's7iUeBbUG7', 'RDaUaU9d4R', 'fwZUgFxovg'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, bZcaLD0uKo2Rp9JIJJ.csHigh entropy of concatenated method names: 'VdwmsuItXn', 'N32mAQdxM1', 'w15mVBMVte', 'cLum0MOEai', 'F6EmSVMRn3', 'WOsmRW7y5l', 'YfYmMp5exn', 'hBVmUG6ink', 'Ig6mc1ysFd', 'VybmHciAeG'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, tVkAv962ia6mNwDn3y.csHigh entropy of concatenated method names: 'QriMTQfWw5', 'HCxMj2RNh5', 'ToString', 'TMKM9d0815', 'Du4M5EZo18', 'HgLMmvUKqR', 'wlRMu2lnSD', 'gs2M3yM17D', 'X4sM14cSVC', 'd6nM2nncSV'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, gPKii5OvqKVJBMPXbW.csHigh entropy of concatenated method names: 'MUjuwklgAB', 'qEkudQS7Tp', 'AZvmtX8Xpv', 'YI7mLqj0Ly', 'daxmKcUKfu', 'yA5mQidSoN', 'kO3mChb4NG', 'chymqJYe0Y', 'NYsmrcsBJO', 'K67my7S31a'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, orYxNxNLXwG34pPgTX.csHigh entropy of concatenated method names: 'CaeSy0LR4d', 'r1KShKipmv', 'e04SNMmy49', 'ppPSEHIifo', 'hGpSpun9XQ', 'hGpStelelJ', 'sF6SLuHRf3', 'WIMSKEqTrt', 'YmOSQb1VhW', 'LheSCiFK2C'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, jD6LUMbPYWdPHuPYK33.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cBcHNin0mZ', 'mwCHENio49', 'cuqHZY5iWu', 'wvMH6EOP9Q', 'VtlHXNQmDI', 'RM3HvJkpox', 'KXhHeBTTiR'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, SUe8pgvf60RqW55B9f.csHigh entropy of concatenated method names: 'YS0MalCl39', 'q1iMBHNRJy', 'h1sU4aKkvq', 'kbWUbJsFvv', 'URaMoQYkF0', 'oTBMhepXL8', 'zYnM8pYMPk', 'FFAMNwHHa1', 'VtAMEnGmNd', 'w0rMZpGQf6'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, eJ2ggYnoVUcV3yRKRj.csHigh entropy of concatenated method names: 'sMSIOvhKm', 'WVWs5RTdh', 'M2bALe6nx', 'iCNd5fqlW', 'HaY0rPSjs', 'i08OMxlc2', 'W3OnENGDkEoLrNrx06', 'PXAWMYMO6txLHUAsoE', 'YOrUIuH6R', 'HkVHham4k'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, WJSKSKalbjKpJR0gJ8.csHigh entropy of concatenated method names: 'T7vU9w1FFh', 'HMbU5lCemR', 'rA8UmZTm9P', 'wS0UuTfe6M', 'jSOU3Kglkl', 'jdZU1JbquA', 'Vl9U2nGCoO', 'LcJU7bRvKM', 'ytXUThYVSJ', 'IcOUjmguJM'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, kI7eRSzyL4mxWFQF33.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NuPckmUhdv', 'AiqcSQfpks', 'WjacR5QOD2', 'qf6cMlr7pd', 'EH3cUqcfVx', 'YMKcctgaVO', 'vekcHehKjn'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, cPZCAoVt2erFRDjGhH.csHigh entropy of concatenated method names: 'ALF5N0lCvm', 'F9v5EmZ43U', 'fsS5Zk8l47', 'wvK56MWTWc', 'Yoc5XsZjkk', 'fSX5vMC6MW', 'Ein5edxLc3', 'vQ55aBVpVp', 'AWB5gd7lU3', 'mg95BuHlRc'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, yApeYc8WaNB4HBkP1N.csHigh entropy of concatenated method names: 'gQykVWe2fR', 'EGKk023Omv', 'TmbkiRRxxx', 'RK6kpDrhmn', 'yANkLJNYiS', 'uQLkK5STe5', 'pWAkCowqkJ', 't8dkqA25pM', 'TgkkylljNv', 'WcFkopISbU'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, D6CxCerasCskEeJmWe.csHigh entropy of concatenated method names: 'oUT1FR94nc', 'OgJ1WYMQsy', 'HWL1IvaZEO', 'haX1syuyjD', 'RXY1wY6Fdr', 'RSP1AnR4RT', 'fHf1dsJboJ', 'VkE1VpuQhg', 'lmQ10aU1Nh', 'GOU1O7y2I7'
                    Source: 0.2.Docs.exe.4746900.1.raw.unpack, OMn28yb4PnIYjLbooDr.csHigh entropy of concatenated method names: 'cqVcFECcu0', 'rs5cWRtN5n', 'yMPcI5qtGo', 't2lcsKcBQA', 'cE2cwnV1wN', 'nxMcAlS0NS', 'kDScdGgQID', 'LINcV8jNXq', 'GU8c0WrORo', 'hyncOTUBmq'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, RFQph7Gmx5wZmZ2fnD.csHigh entropy of concatenated method names: 'IsPb1PZCAo', 'I2eb2rFRDj', 'wuKbTo2Rp9', 'eIJbjJ5PKi', 'qPXbSbWMvS', 'F7RbRsOcPw', 'cle4mvUrbVXlip4y2F', 'ymHfpHZhJaDABxbXqT', 'q49bbwUlr4', 'exsbPHPkFC'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, yQRNpRmQWNJkutLarT.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rovngbUMOe', 'qwpnB1ZEj9', 'qFHnz6OZwq', 'UHlP4p6BK3', 'YiWPbg30F3', 'A1uPnUB7yC', 'vORPP6jPlk', 'C2OBvOgSk0hnrTKYkDK'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, qvSi7RisOcPwlZCYlA.csHigh entropy of concatenated method names: 'ie43Jkuxgw', 'phd351c02j', 'YK03uNRTYi', 'isG31HFPAr', 'FIx32H2N6u', 'YIeuXixXdo', 'l8quvB03UP', 'a5NueWb6P1', 'NjFuaxsyp2', 'vEVugviecK'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, shYrPL5uqWC6yJSfE4.csHigh entropy of concatenated method names: 'Dispose', 'enxbgr3Ep6', 'oyvnp1MlRu', 'R0MGGna9Ze', 'faJbBSKSKl', 'bjKbzpJR0g', 'ProcessDialogKey', 'e8hn42Y3mj', 'jQ7nbATt69', 'FUCnnb3vbU'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, xxt5gDZa8BCPWSxVG0.csHigh entropy of concatenated method names: 'ToString', 'PN7RoGZu9R', 'mZSRp7RgiD', 'xABRtnLkWx', 'YqjRLmI94m', 'rXIRKZFFxL', 'H8FRQCPfYJ', 'sKRRCiKjen', 'JoBRqaagWX', 'VrgRrH5uD5'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, P2Y3mjg1Q7ATt69OUC.csHigh entropy of concatenated method names: 'SBvUi5L8vs', 'Dg8UprJOs7', 'QcjUtbYGqt', 'XmnULgp86b', 'p10UNaI4n3', 'QXSUKuu8s0', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, rAlbc02QxmOsojTQuK.csHigh entropy of concatenated method names: 'SVLPJ524Gw', 'pkJP96I9F5', 'zqEP58CYnJ', 'rnWPmuhpqf', 'XGgPuTZBHL', 'aRaP3ZtZLN', 'OLwP1tS1QU', 'egsP2c3MbF', 'UjdP7IlPdA', 'aMCPTEWDOW'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, b3vbUCBrv6R0bcDl26.csHigh entropy of concatenated method names: 'ksJcbdPcBf', 'Ql4cP6BCCy', 'DUdcGTja75', 'Lexc9FIdko', 'UbQc5aOs3L', 'fhwcugq8G7', 'sIGc3j0Eta', 's7iUeBbUG7', 'RDaUaU9d4R', 'fwZUgFxovg'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, bZcaLD0uKo2Rp9JIJJ.csHigh entropy of concatenated method names: 'VdwmsuItXn', 'N32mAQdxM1', 'w15mVBMVte', 'cLum0MOEai', 'F6EmSVMRn3', 'WOsmRW7y5l', 'YfYmMp5exn', 'hBVmUG6ink', 'Ig6mc1ysFd', 'VybmHciAeG'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, tVkAv962ia6mNwDn3y.csHigh entropy of concatenated method names: 'QriMTQfWw5', 'HCxMj2RNh5', 'ToString', 'TMKM9d0815', 'Du4M5EZo18', 'HgLMmvUKqR', 'wlRMu2lnSD', 'gs2M3yM17D', 'X4sM14cSVC', 'd6nM2nncSV'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, gPKii5OvqKVJBMPXbW.csHigh entropy of concatenated method names: 'MUjuwklgAB', 'qEkudQS7Tp', 'AZvmtX8Xpv', 'YI7mLqj0Ly', 'daxmKcUKfu', 'yA5mQidSoN', 'kO3mChb4NG', 'chymqJYe0Y', 'NYsmrcsBJO', 'K67my7S31a'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, orYxNxNLXwG34pPgTX.csHigh entropy of concatenated method names: 'CaeSy0LR4d', 'r1KShKipmv', 'e04SNMmy49', 'ppPSEHIifo', 'hGpSpun9XQ', 'hGpStelelJ', 'sF6SLuHRf3', 'WIMSKEqTrt', 'YmOSQb1VhW', 'LheSCiFK2C'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, jD6LUMbPYWdPHuPYK33.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cBcHNin0mZ', 'mwCHENio49', 'cuqHZY5iWu', 'wvMH6EOP9Q', 'VtlHXNQmDI', 'RM3HvJkpox', 'KXhHeBTTiR'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, SUe8pgvf60RqW55B9f.csHigh entropy of concatenated method names: 'YS0MalCl39', 'q1iMBHNRJy', 'h1sU4aKkvq', 'kbWUbJsFvv', 'URaMoQYkF0', 'oTBMhepXL8', 'zYnM8pYMPk', 'FFAMNwHHa1', 'VtAMEnGmNd', 'w0rMZpGQf6'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, eJ2ggYnoVUcV3yRKRj.csHigh entropy of concatenated method names: 'sMSIOvhKm', 'WVWs5RTdh', 'M2bALe6nx', 'iCNd5fqlW', 'HaY0rPSjs', 'i08OMxlc2', 'W3OnENGDkEoLrNrx06', 'PXAWMYMO6txLHUAsoE', 'YOrUIuH6R', 'HkVHham4k'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, WJSKSKalbjKpJR0gJ8.csHigh entropy of concatenated method names: 'T7vU9w1FFh', 'HMbU5lCemR', 'rA8UmZTm9P', 'wS0UuTfe6M', 'jSOU3Kglkl', 'jdZU1JbquA', 'Vl9U2nGCoO', 'LcJU7bRvKM', 'ytXUThYVSJ', 'IcOUjmguJM'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, kI7eRSzyL4mxWFQF33.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NuPckmUhdv', 'AiqcSQfpks', 'WjacR5QOD2', 'qf6cMlr7pd', 'EH3cUqcfVx', 'YMKcctgaVO', 'vekcHehKjn'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, cPZCAoVt2erFRDjGhH.csHigh entropy of concatenated method names: 'ALF5N0lCvm', 'F9v5EmZ43U', 'fsS5Zk8l47', 'wvK56MWTWc', 'Yoc5XsZjkk', 'fSX5vMC6MW', 'Ein5edxLc3', 'vQ55aBVpVp', 'AWB5gd7lU3', 'mg95BuHlRc'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, yApeYc8WaNB4HBkP1N.csHigh entropy of concatenated method names: 'gQykVWe2fR', 'EGKk023Omv', 'TmbkiRRxxx', 'RK6kpDrhmn', 'yANkLJNYiS', 'uQLkK5STe5', 'pWAkCowqkJ', 't8dkqA25pM', 'TgkkylljNv', 'WcFkopISbU'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, D6CxCerasCskEeJmWe.csHigh entropy of concatenated method names: 'oUT1FR94nc', 'OgJ1WYMQsy', 'HWL1IvaZEO', 'haX1syuyjD', 'RXY1wY6Fdr', 'RSP1AnR4RT', 'fHf1dsJboJ', 'VkE1VpuQhg', 'lmQ10aU1Nh', 'GOU1O7y2I7'
                    Source: 0.2.Docs.exe.a1b0000.8.raw.unpack, OMn28yb4PnIYjLbooDr.csHigh entropy of concatenated method names: 'cqVcFECcu0', 'rs5cWRtN5n', 'yMPcI5qtGo', 't2lcsKcBQA', 'cE2cwnV1wN', 'nxMcAlS0NS', 'kDScdGgQID', 'LINcV8jNXq', 'GU8c0WrORo', 'hyncOTUBmq'
                    Source: C:\Users\user\Desktop\Docs.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Docs.exe PID: 7388, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Docs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 1070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 2B60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 79E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 89E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 8B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 9B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: A230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: B230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: C230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 17E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 3410000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 3260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeWindow / User API: threadDelayed 5431Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeWindow / User API: threadDelayed 1839Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7408Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7736Thread sleep count: 5431 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7736Thread sleep count: 1839 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99233s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -99015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98136s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97920s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97590s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -97047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -96937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -96828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -96718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -96609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -96500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -96390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -96281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -96172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exe TID: 7732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Docs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Docs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99343Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99233Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99125Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98906Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98797Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98578Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98468Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98136Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97920Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97812Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97590Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97484Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97375Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97265Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97156Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 97047Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 96937Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 96828Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 96718Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 96609Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 96500Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 96390Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 96281Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 96172Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Docs.exe, 00000002.00000002.2990281879.000000000152A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Docs.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Docs.exeMemory written: C:\Users\user\Desktop\Docs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeProcess created: C:\Users\user\Desktop\Docs.exe "C:\Users\user\Desktop\Docs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Users\user\Desktop\Docs.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Users\user\Desktop\Docs.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Docs.exe.48a3e18.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Docs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48de838.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48de838.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48a3e18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2996631078.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Docs.exe PID: 7388, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Docs.exe PID: 7576, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Docs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Docs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.Docs.exe.48a3e18.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Docs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48de838.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48de838.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48a3e18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2996631078.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Docs.exe PID: 7388, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Docs.exe PID: 7576, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Docs.exe.48a3e18.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Docs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48de838.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48de838.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Docs.exe.48a3e18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2996631078.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Docs.exe PID: 7388, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Docs.exe PID: 7576, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Docs.exe88%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                    Docs.exe75%VirustotalBrowse
                    Docs.exe100%AviraHEUR/AGEN.1308740
                    Docs.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.alkuwaiti.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://r3.i.lencr.org/00%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                    http://mail.alkuwaiti.com0%Avira URL Cloudsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                    http://mail.alkuwaiti.com0%VirustotalBrowse
                    http://www.founder.com.cn/cn0%VirustotalBrowse
                    http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                    http://www.zhongyicts.com.cn1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.alkuwaiti.com
                    		50.87.219.149
                    		truetrueunknown
                    api.ipify.org
                    		172.67.74.152
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://mail.alkuwaiti.comDocs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648Docs.exefalse
                                		high
                                http://www.fontbureau.com/designers/?Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://account.dyn.com/Docs.exe, 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers?Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.tiro.comDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org/tDocs.exe, 00000002.00000002.2996631078.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.carterandcone.comlDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://r3.i.lencr.org/0Docs.exe, 00000002.00000002.2990281879.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2990281879.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.orgDocs.exe, 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.htmlDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009Docs.exefalse
                                                  		high
                                                  http://xml.weather.yahoo.com/ns/rss/1.0Docs.exefalse
                                                    		high
                                                    http://x1.c.lencr.org/0Docs.exe, 00000002.00000002.2990281879.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.3012553587.0000000006BFD000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://x1.i.lencr.org/0Docs.exe, 00000002.00000002.2990281879.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.3012553587.0000000006BFD000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://weather.yahooapis.com/forecastrss?w=4118Docs.exefalse
                                                      		high
                                                      http://r3.o.lencr.org0Docs.exe, 00000002.00000002.2990281879.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2990281879.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, Docs.exe, 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/DPleaseDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers8Docs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fonts.comDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.urwpp.deDPleaseDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cnDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 1%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDocs.exe, 00000002.00000002.2996631078.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.sakkal.comDocs.exe, 00000000.00000002.1810847531.0000000006C22000.00000004.00000800.00020000.00000000.sdmp, Docs.exe, 00000000.00000002.1810817443.0000000005B50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            50.87.219.149
                                                            		mail.alkuwaiti.comUnited States
                                                            		46606UNIFIEDLAYER-AS-1UStrue
                                                            172.67.74.152
                                                            		api.ipify.orgUnited States
                                                            		13335CLOUDFLARENETUSfalse

                                                            General Information

                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                            Analysis ID:1432055
                                                            Start date and time:2024-04-26 11:08:14 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 55s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:7
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Docs.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 166
                                                            • Number of non-executed functions: 28
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            11:09:16API Interceptor37x Sleep call for process: Docs.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            50.87.219.149Ziraat Swift Bildirimi.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • www.hyperfocusmasterclass.com/gg58/?f0=BXeHzp&3f=5Ix8alVOa82T/DZIfBhrjeSKtZ641IDQQHgZKH1ZvtSurMdm0kyXcXMOnWQHCxpuENZh
                                                            Ziraat Swift Bildirimi.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • www.hyperfocusmasterclass.com/gg58/?RZwp=5Ix8alVOa82T/DZIfBhrjeSKtZ641IDQQHgZKH1ZvtSurMdm0kyXcXMOnWQHCxpuENZh&2d6tXz=j8vX
                                                            172.67.74.152Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            mail.alkuwaiti.comSecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 50.87.219.149
                                                            Bank slip.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 50.87.219.149
                                                            PO#240.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 50.87.219.149
                                                            Shipping Docs.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 50.87.219.149
                                                            SecuriteInfo.com.W32.MSIL_Kryptik.DWR.gen.Eldorado.6551.17723.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 50.87.219.149
                                                            api.ipify.orgStatement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205
                                                            CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205
                                                            Payment Swift.docGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            https://lide.alosalca.fun/highbox#joeblow@xyz.comGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.26.13.205
                                                            http://asana.wfGet hashmaliciousUnknownBrowse
                                                            • 172.67.74.152
                                                            o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            http://wsj.pmGet hashmaliciousNetSupport RATBrowse
                                                            • 104.26.12.205
                                                            16770075581.zipGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            UNIFIEDLAYER-AS-1UShttp://www.tbmuae.com/Get hashmaliciousGRQ ScamBrowse
                                                            • 198.57.149.230
                                                            Statement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.195.61
                                                            Quotation Order.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 192.254.225.166
                                                            DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.253.239
                                                            CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 192.254.225.136
                                                            SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.195.61
                                                            INQ No. HDPE-16-GM-00- PI-INQ-3001.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 162.240.81.18
                                                            DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 192.232.216.145
                                                            DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 192.232.216.145
                                                            DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 192.232.216.145
                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.26.4.15
                                                            https://deebmpapst.ordineproposal.top/Get hashmaliciousUnknownBrowse
                                                            • 104.17.2.184
                                                            Statement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205
                                                            https://powerpointmicrosoftoffice.top/Get hashmaliciousUnknownBrowse
                                                            • 104.17.3.184
                                                            https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:d35aec95-f365-414c-8371-68e6d7d2ec41Get hashmaliciousUnknownBrowse
                                                            • 104.17.28.92
                                                            150-425-2024.exeGet hashmaliciousFormBookBrowse
                                                            • 23.227.38.74
                                                            CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            https://usigroups-my.sharepoint.com/:o:/p/js/Es3HdUJZlbVJngCJE-Z7JCYBUTZvd1ZCMQwZhhlQoy_hDw?e=mT2aQmGet hashmaliciousHTMLPhisherBrowse
                                                            • 172.67.144.70
                                                            SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eStatement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                            • 172.67.74.152
                                                            PO-inv-CQV20(92315).exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            a.cmdGet hashmaliciousUnknownBrowse
                                                            • 172.67.74.152
                                                            http://papajoeschicago.comGet hashmaliciousUnknownBrowse
                                                            • 172.67.74.152
                                                            https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1Get hashmaliciousUnknownBrowse
                                                            • 172.67.74.152
                                                            o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Docs.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Docs.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.885360040283727
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                            File name:Docs.exe
                                                            File size:765'952 bytes
                                                            MD5:28da32c1cf8ead709f4888f84a697c28
                                                            SHA1:45122f3c46fb3400cc6710a830a259da54b07298
                                                            SHA256:c10f8bc18521b4c90063ae5fc1e0e95e40ed35be3758d90f597d7cc1e3853ade
                                                            SHA512:6d67f361a2f126e35f31e0ff5298bed2ee36e0262a8d71ec5254277c2ed122d9769bb7cc168d00b47616fd381f625a1a6542854c84d9c7cc184c607312fdef13
                                                            SSDEEP:12288:90K/pbM4nsSz3ITyeYmaNKiz4xrreLpSYHK6rPILRwwAF9:90iM4nuTyVXNDz4xIYGK2Wg9
                                                            TLSH:E3F4226475292732C4BEAFFD4535214063F235621031E74EEE7720CE59E2B84E746BAB
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|. f..............0..p...0......Z.... ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:6dd4d6ccd6d0b24c

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4b805a
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6620AC7C [Thu Apr 18 05:15:40 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb80080x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x17d8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xb60600xb7000ae9d83efb9d569732c0bdfa000ac415bFalse0.9395932056864754data7.932093151014693IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xba0000x17d80x2000ec750b011cc447bc16b980807c25680fFalse0.6085205078125data5.79573287972307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xbc0000xc0x1000042375526db1ce8fb6934e0da297d4e5False0.0087890625data0.016408464515625623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xba0c80x139bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8963937039250847
                                                            RT_GROUP_ICON0xbb4740x14data1.05
                                                            RT_VERSION0xbb4980x33cdata0.4214975845410628

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 26, 2024 11:09:20.549547911 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:20.549606085 CEST44349733172.67.74.152192.168.2.4
                                                            Apr 26, 2024 11:09:20.549781084 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:20.557881117 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:20.557900906 CEST44349733172.67.74.152192.168.2.4
                                                            Apr 26, 2024 11:09:20.825259924 CEST44349733172.67.74.152192.168.2.4
                                                            Apr 26, 2024 11:09:20.825352907 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:20.830579996 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:20.830596924 CEST44349733172.67.74.152192.168.2.4
                                                            Apr 26, 2024 11:09:20.830882072 CEST44349733172.67.74.152192.168.2.4
                                                            Apr 26, 2024 11:09:20.876080036 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:20.904191017 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:20.952114105 CEST44349733172.67.74.152192.168.2.4
                                                            Apr 26, 2024 11:09:21.145210981 CEST44349733172.67.74.152192.168.2.4
                                                            Apr 26, 2024 11:09:21.145282030 CEST44349733172.67.74.152192.168.2.4
                                                            Apr 26, 2024 11:09:21.145344973 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:21.151221991 CEST49733443192.168.2.4172.67.74.152
                                                            Apr 26, 2024 11:09:21.896614075 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:22.092892885 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:22.092998981 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:22.384306908 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:22.389646053 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:22.586029053 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:22.586282015 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:22.783960104 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:22.784581900 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:22.989820004 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:22.989872932 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:22.989922047 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:22.989974976 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:23.019022942 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:23.215970039 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:23.219171047 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:23.415527105 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:23.422177076 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:23.618886948 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:23.619270086 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:23.856240034 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:25.414894104 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:25.415215969 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:25.611457109 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:25.611517906 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:25.612840891 CEST5874973650.87.219.149192.168.2.4
                                                            Apr 26, 2024 11:09:25.612910986 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:25.617748976 CEST49736587192.168.2.450.87.219.149
                                                            Apr 26, 2024 11:09:25.813889980 CEST5874973650.87.219.149192.168.2.4

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 26, 2024 11:09:20.417000055 CEST6066353192.168.2.41.1.1.1
                                                            Apr 26, 2024 11:09:20.542772055 CEST53606631.1.1.1192.168.2.4
                                                            Apr 26, 2024 11:09:21.696875095 CEST6065553192.168.2.41.1.1.1
                                                            Apr 26, 2024 11:09:21.895638943 CEST53606551.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Apr 26, 2024 11:09:20.417000055 CEST192.168.2.41.1.1.10xf223Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Apr 26, 2024 11:09:21.696875095 CEST192.168.2.41.1.1.10x683eStandard query (0)mail.alkuwaiti.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Apr 26, 2024 11:09:20.542772055 CEST1.1.1.1192.168.2.40xf223No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                            Apr 26, 2024 11:09:20.542772055 CEST1.1.1.1192.168.2.40xf223No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                            Apr 26, 2024 11:09:20.542772055 CEST1.1.1.1192.168.2.40xf223No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                            Apr 26, 2024 11:09:21.895638943 CEST1.1.1.1192.168.2.40x683eNo error (0)mail.alkuwaiti.com50.87.219.149A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.ipify.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449733172.67.74.1524437576C:\Users\user\Desktop\Docs.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-26 09:09:20 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2024-04-26 09:09:21 UTC211INHTTP/1.1 200 OK
                                                            Date: Fri, 26 Apr 2024 09:09:21 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 15
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 87a56ef68d2ba683-MIA
                                                            2024-04-26 09:09:21 UTC15INData Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30
                                                            Data Ascii: 102.129.152.220


                                                            SMTP Packets

                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            Apr 26, 2024 11:09:22.384306908 CEST5874973650.87.219.149192.168.2.4220-box2389.bluehost.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 03:09:22 -0600
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Apr 26, 2024 11:09:22.389646053 CEST49736587192.168.2.450.87.219.149EHLO 320946
                                                            Apr 26, 2024 11:09:22.586029053 CEST5874973650.87.219.149192.168.2.4250-box2389.bluehost.com Hello 320946 [102.129.152.220]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Apr 26, 2024 11:09:22.586282015 CEST49736587192.168.2.450.87.219.149STARTTLS
                                                            Apr 26, 2024 11:09:22.783960104 CEST5874973650.87.219.149192.168.2.4220 TLS go ahead

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:11:09:15
                                                            Start date:26/04/2024
                                                            Path:C:\Users\user\Desktop\Docs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Docs.exe"
                                                            Imagebase:0x680000
                                                            File size:765'952 bytes
                                                            MD5 hash:28DA32C1CF8EAD709F4888F84A697C28
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1807736148.00000000048A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:11:09:19
                                                            Start date:26/04/2024
                                                            Path:C:\Users\user\Desktop\Docs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Docs.exe"
                                                            Imagebase:0xf10000
                                                            File size:765'952 bytes
                                                            MD5 hash:28DA32C1CF8EAD709F4888F84A697C28
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2996631078.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2996631078.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2996631078.000000000348B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2989969989.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:8%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:190
                                                              Total number of Limit Nodes:15
                                                              execution_graph 34306 107d2c0 34307 107d306 GetCurrentProcess 34306->34307 34309 107d351 34307->34309 34310 107d358 GetCurrentThread 34307->34310 34309->34310 34311 107d395 GetCurrentProcess 34310->34311 34312 107d38e 34310->34312 34313 107d3cb 34311->34313 34312->34311 34314 107d3f3 GetCurrentThreadId 34313->34314 34315 107d424 34314->34315 34522 107af30 34523 107af3f 34522->34523 34526 107b018 34522->34526 34534 107b028 34522->34534 34527 107b039 34526->34527 34528 107b05c 34526->34528 34527->34528 34542 107b2b1 34527->34542 34546 107b2c0 34527->34546 34528->34523 34529 107b054 34529->34528 34530 107b260 GetModuleHandleW 34529->34530 34531 107b28d 34530->34531 34531->34523 34535 107b039 34534->34535 34536 107b05c 34534->34536 34535->34536 34540 107b2b1 LoadLibraryExW 34535->34540 34541 107b2c0 LoadLibraryExW 34535->34541 34536->34523 34537 107b054 34537->34536 34538 107b260 GetModuleHandleW 34537->34538 34539 107b28d 34538->34539 34539->34523 34540->34537 34541->34537 34543 107b2d4 34542->34543 34544 107b2f9 34543->34544 34550 107acdc 34543->34550 34544->34529 34548 107b2d4 34546->34548 34547 107b2f9 34547->34529 34548->34547 34549 107acdc LoadLibraryExW 34548->34549 34549->34547 34551 107b4a0 LoadLibraryExW 34550->34551 34553 107b519 34551->34553 34553->34544 34316 75d4450 34317 75d45db 34316->34317 34318 75d4476 34316->34318 34318->34317 34321 75d4ad0 34318->34321 34325 75d4ad8 PostMessageW 34318->34325 34322 75d4ad6 PostMessageW 34321->34322 34323 75d4ac1 34321->34323 34324 75d4b44 34322->34324 34323->34318 34324->34318 34326 75d4b44 34325->34326 34326->34318 34327 75d2090 34328 75d209a 34327->34328 34329 75d2278 34327->34329 34332 75d3248 34328->34332 34338 75d3288 34328->34338 34333 75d329d 34332->34333 34344 75d32b8 34333->34344 34360 75d32c8 34333->34360 34376 75d3311 34333->34376 34334 75d32af 34334->34329 34339 75d329d 34338->34339 34341 75d32c8 12 API calls 34339->34341 34342 75d32b8 12 API calls 34339->34342 34343 75d3311 12 API calls 34339->34343 34340 75d32af 34340->34329 34341->34340 34342->34340 34343->34340 34345 75d32c8 34344->34345 34346 75d3306 34345->34346 34392 75d381f 34345->34392 34397 75d3a62 34345->34397 34402 75d4046 34345->34402 34406 75d3cc5 34345->34406 34410 75d3d2b 34345->34410 34414 75d3948 34345->34414 34418 75d3b6e 34345->34418 34422 75d388e 34345->34422 34427 75d37af 34345->34427 34432 75d402f 34345->34432 34437 75d36f4 34345->34437 34441 75d3a3b 34345->34441 34446 75d37de 34345->34446 34346->34334 34361 75d32e2 34360->34361 34362 75d3306 34361->34362 34363 75d381f 2 API calls 34361->34363 34364 75d37de 2 API calls 34361->34364 34365 75d3a3b 2 API calls 34361->34365 34366 75d36f4 2 API calls 34361->34366 34367 75d402f 2 API calls 34361->34367 34368 75d37af 2 API calls 34361->34368 34369 75d388e 2 API calls 34361->34369 34370 75d3b6e 2 API calls 34361->34370 34371 75d3948 2 API calls 34361->34371 34372 75d3d2b 2 API calls 34361->34372 34373 75d3cc5 2 API calls 34361->34373 34374 75d4046 2 API calls 34361->34374 34375 75d3a62 2 API calls 34361->34375 34362->34334 34363->34362 34364->34362 34365->34362 34366->34362 34367->34362 34368->34362 34369->34362 34370->34362 34371->34362 34372->34362 34373->34362 34374->34362 34375->34362 34377 75d32b4 34376->34377 34378 75d3306 34377->34378 34379 75d381f 2 API calls 34377->34379 34380 75d37de 2 API calls 34377->34380 34381 75d3a3b 2 API calls 34377->34381 34382 75d36f4 2 API calls 34377->34382 34383 75d402f 2 API calls 34377->34383 34384 75d37af 2 API calls 34377->34384 34385 75d388e 2 API calls 34377->34385 34386 75d3b6e 2 API calls 34377->34386 34387 75d3948 2 API calls 34377->34387 34388 75d3d2b 2 API calls 34377->34388 34389 75d3cc5 2 API calls 34377->34389 34390 75d4046 2 API calls 34377->34390 34391 75d3a62 2 API calls 34377->34391 34378->34334 34379->34378 34380->34378 34381->34378 34382->34378 34383->34378 34384->34378 34385->34378 34386->34378 34387->34378 34388->34378 34389->34378 34390->34378 34391->34378 34393 75d3ab4 34392->34393 34451 75d1988 34393->34451 34455 75d1980 34393->34455 34394 75d3c70 34398 75d3a68 34397->34398 34399 75d403f 34398->34399 34459 75d1308 34398->34459 34463 75d1300 34398->34463 34467 75d13b8 34402->34467 34471 75d13b0 34402->34471 34403 75d4060 34407 75d3cda 34406->34407 34408 75d1988 WriteProcessMemory 34407->34408 34409 75d1980 WriteProcessMemory 34407->34409 34408->34407 34409->34407 34412 75d13b8 Wow64SetThreadContext 34410->34412 34413 75d13b0 Wow64SetThreadContext 34410->34413 34411 75d3d45 34412->34411 34413->34411 34416 75d1988 WriteProcessMemory 34414->34416 34417 75d1980 WriteProcessMemory 34414->34417 34415 75d396c 34416->34415 34417->34415 34419 75d3cc9 34418->34419 34420 75d1988 WriteProcessMemory 34419->34420 34421 75d1980 WriteProcessMemory 34419->34421 34420->34419 34421->34419 34423 75d3896 34422->34423 34475 75d1a78 34423->34475 34479 75d1a70 34423->34479 34424 75d38b8 34424->34346 34428 75d37be 34427->34428 34483 75d18c8 34428->34483 34487 75d18c2 34428->34487 34429 75d3a07 34433 75d403f 34432->34433 34434 75d3a80 34432->34434 34434->34432 34435 75d1308 ResumeThread 34434->34435 34436 75d1300 ResumeThread 34434->34436 34435->34434 34436->34434 34491 75d1c04 34437->34491 34495 75d1c10 34437->34495 34442 75d3a4b 34441->34442 34443 75d403f 34442->34443 34444 75d1308 ResumeThread 34442->34444 34445 75d1300 ResumeThread 34442->34445 34444->34442 34445->34442 34447 75d37a1 34446->34447 34449 75d1a78 ReadProcessMemory 34447->34449 34450 75d1a70 ReadProcessMemory 34447->34450 34448 75d38b8 34448->34346 34449->34448 34450->34448 34452 75d19d0 WriteProcessMemory 34451->34452 34454 75d1a27 34452->34454 34454->34394 34456 75d19d0 WriteProcessMemory 34455->34456 34458 75d1a27 34456->34458 34458->34394 34460 75d1348 ResumeThread 34459->34460 34462 75d1379 34460->34462 34462->34398 34464 75d1348 ResumeThread 34463->34464 34466 75d1379 34464->34466 34466->34398 34468 75d13fd Wow64SetThreadContext 34467->34468 34470 75d1445 34468->34470 34470->34403 34472 75d13fd Wow64SetThreadContext 34471->34472 34474 75d1445 34472->34474 34474->34403 34476 75d1ac3 ReadProcessMemory 34475->34476 34478 75d1b07 34476->34478 34478->34424 34480 75d1a7a ReadProcessMemory 34479->34480 34482 75d1b07 34480->34482 34482->34424 34484 75d1908 VirtualAllocEx 34483->34484 34486 75d1945 34484->34486 34486->34429 34488 75d1908 VirtualAllocEx 34487->34488 34490 75d1945 34488->34490 34490->34429 34492 75d1c99 CreateProcessA 34491->34492 34494 75d1e5b 34492->34494 34494->34494 34496 75d1c99 CreateProcessA 34495->34496 34498 75d1e5b 34496->34498 34498->34498 34499 107d508 DuplicateHandle 34500 107d59e 34499->34500 34501 1074668 34502 107467a 34501->34502 34503 1074686 34502->34503 34505 1074779 34502->34505 34506 107479d 34505->34506 34510 1074879 34506->34510 34514 1074888 34506->34514 34512 10748af 34510->34512 34511 107498c 34511->34511 34512->34511 34518 10744c4 34512->34518 34516 10748af 34514->34516 34515 107498c 34516->34515 34517 10744c4 CreateActCtxA 34516->34517 34517->34515 34519 1075918 CreateActCtxA 34518->34519 34521 10759db 34519->34521 34521->34521

                                                              Executed Functions

                                                              Function 075310A0 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 752 75310a0-75310a4 753 75310a6-75310b4 752->753 754 75310b5-75310bc 752->754 753->754 755 75310c8-75310d0 754->755 756 75310be-75310c7 754->756 757 75310d2-75310dd 755->757 758 75310e0 755->758 756->755 757->758 759 75310e2-75310e5 758->759 760 75310e6-75310f8 758->760 759->760 761 75310fa-75310fc 760->761 762 75310fd-75311b5 760->762 761->762 763 75311b7 762->763 764 75311bc-75311f8 762->764 763->764 834 75311fa call 75317d0 764->834 835 75311fa call 75317c0 764->835 766 7531200 767 7531207-7531223 766->767 768 7531225 767->768 769 753122c-753122d 767->769 768->766 768->769 770 7531554-753156b 768->770 771 753135a-7531366 768->771 772 7531458-753146c 768->772 773 753124b-753124f 768->773 774 7531309-7531315 768->774 775 75314cf-75314ef 768->775 776 75313cf-75313ef 768->776 777 753140e-7531412 768->777 778 753138e-75313a0 768->778 779 753158c-7531590 768->779 780 7531232-7531249 768->780 781 7531471-753147d 768->781 782 7531570-7531587 768->782 783 75313f4-7531409 768->783 784 75314f4-7531500 768->784 785 7531278-7531284 768->785 786 753143e-7531453 768->786 787 753153d-753154f 768->787 788 75315bc-75315cf 768->788 789 75314a5-75314b1 768->789 790 75313a5-75313b1 768->790 791 75312e4-7531304 768->791 792 753152b-7531538 768->792 793 75312af-75312b8 768->793 769->788 770->767 806 7531368 771->806 807 753136d-7531389 771->807 772->767 808 7531262-7531269 773->808 809 7531251-7531260 773->809 800 7531317 774->800 801 753131c-7531332 774->801 775->767 776->767 798 7531425-753142c 777->798 799 7531414-7531423 777->799 778->767 796 75315a3-75315aa 779->796 797 7531592-75315a1 779->797 780->767 802 7531484-75314a0 781->802 803 753147f 781->803 782->767 783->767 810 7531502 784->810 811 7531507-7531526 784->811 814 7531286 785->814 815 753128b-75312aa 785->815 786->767 787->767 804 75314b3 789->804 805 75314b8-75314ca 789->805 812 75313b3 790->812 813 75313b8-75313ca 790->813 791->767 792->767 794 75312cb-75312d2 793->794 795 75312ba-75312c9 793->795 816 75312d9-75312df 794->816 795->816 817 75315b1-75315b7 796->817 797->817 821 7531433-7531439 798->821 799->821 800->801 831 7531334 801->831 832 7531339-7531355 801->832 802->767 803->802 804->805 805->767 806->807 807->767 823 7531270-7531276 808->823 809->823 810->811 811->767 812->813 813->767 814->815 815->767 816->767 817->767 821->767 823->767 831->832 832->767 834->766 835->766
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tIh
                                                              • API String ID: 0-443931868
                                                              • Opcode ID: a0c76207e6429d859a0df46e3c597e68447687fd3c99450ae3dd0a5c573db54b
                                                              • Instruction ID: a33ab98bbbe1ce65d8dad428de713114b53ee8d17c9ddd78b34d53263a46e05f
                                                              • Opcode Fuzzy Hash: a0c76207e6429d859a0df46e3c597e68447687fd3c99450ae3dd0a5c573db54b
                                                              • Instruction Fuzzy Hash: 38F1C0B0915A09DFDB04CFB5D8818EEFBB5FF4A305B10C656E416AB264D7309642CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07531190 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tIh
                                                              • API String ID: 0-443931868
                                                              • Opcode ID: 84f0997068ae08ead1dcc2b1c2598263ae664c511b2f1cff4419502dc87b7b37
                                                              • Instruction ID: c235ca5a1e2a403c3c20b12b46774ccc74559a309fab226cc213081b42b7cf43
                                                              • Opcode Fuzzy Hash: 84f0997068ae08ead1dcc2b1c2598263ae664c511b2f1cff4419502dc87b7b37
                                                              • Instruction Fuzzy Hash: B6D12CB0D14A0ADFCB04CFAAD5858EEFBB2FF4A301B10D555E412AB264D735A942CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075341E8 Relevance: .2, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fbac9072c3962d97f2ded25f79dc474d90f3c29a0fa8892dc2508b58b84d222c
                                                              • Instruction ID: 23d76f582cf5342f7c550566b1fdff1333c3330a1a1ffb3f57025b1562863582
                                                              • Opcode Fuzzy Hash: fbac9072c3962d97f2ded25f79dc474d90f3c29a0fa8892dc2508b58b84d222c
                                                              • Instruction Fuzzy Hash: 509118B0D15249DFCB48CFE5E584AEDBBB2FB8A300F20A41AE416BB264D7349945CF14
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075341D8 Relevance: .2, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07af7d5ed37e1cf2b0a9a79081e0fb50f0e98872d152e082db2b1ceb71b08b42
                                                              • Instruction ID: 1277c6ba7dc1c90d7000f6b485b6d12ff757f4f3e1e28913acf71969e0101f13
                                                              • Opcode Fuzzy Hash: 07af7d5ed37e1cf2b0a9a79081e0fb50f0e98872d152e082db2b1ceb71b08b42
                                                              • Instruction Fuzzy Hash: 029118B4D15249DFCB48CFA5E584AEDBBB2FF8A300F20A41AE415BB264D73499458F14
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07533EC1 Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 690d300bebd260cd13844985be63038bf97c7f2272b4ac3eff60feaac1cb1626
                                                              • Instruction ID: c52a2ede3257153b2d8711a34992aed02042e6a24cd2e6c6bc86b8f25b3a7bb3
                                                              • Opcode Fuzzy Hash: 690d300bebd260cd13844985be63038bf97c7f2272b4ac3eff60feaac1cb1626
                                                              • Instruction Fuzzy Hash: 748112B4E15219CFCF04CFA9D9809EEFBB1FB89300F50995AD801A7264D7399912CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07533ED0 Relevance: .2, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 27cec5dd4961f109899b73545d2c447dea610d2e3e71538603acd5b959b200e6
                                                              • Instruction ID: 5f79d4a80f31d8df91adfa632ad0e6760350f681a570a946898d2b02416d75ff
                                                              • Opcode Fuzzy Hash: 27cec5dd4961f109899b73545d2c447dea610d2e3e71538603acd5b959b200e6
                                                              • Instruction Fuzzy Hash: 558101B4E14219CFCF04CFA9D9809EEFBB1FB89300F50A95AD801A7264D7399952CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075302E0 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b847a5c670fcb02b106c29ddf447293511fb291d162760676fcc25077943df53
                                                              • Instruction ID: d30eaee5d0184d36e4ede19267b8bc0537a8148df60dcccc5ee06b237408624b
                                                              • Opcode Fuzzy Hash: b847a5c670fcb02b106c29ddf447293511fb291d162760676fcc25077943df53
                                                              • Instruction Fuzzy Hash: 2221EAB1E016188BEB18CFABD9442DEFBF7AFC9310F14C07AD409A6268DB741A45CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075302D2 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4d0fe709b93d6e7081be97a0d74696b200f00029fc9ecbed22e001f3e87d1166
                                                              • Instruction ID: d6e9064e10e42ef02daff977c3a9b2a1fe2295d3ae7a0821f8af8f7242c8d9ba
                                                              • Opcode Fuzzy Hash: 4d0fe709b93d6e7081be97a0d74696b200f00029fc9ecbed22e001f3e87d1166
                                                              • Instruction Fuzzy Hash: 9121EDB1E016598BDB18CFABD9452DEBFF3AFC9310F14C07AD408AA268DB741A45CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D37D3 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 167eb770f5630bfb105b7adf0c2f9daaa4a733ce42c4e4e0b48a1d039103b251
                                                              • Instruction ID: 11e9b6721dae15e19c797599ed80dda108e253ff0b12d5db81417f8b7662bfc6
                                                              • Opcode Fuzzy Hash: 167eb770f5630bfb105b7adf0c2f9daaa4a733ce42c4e4e0b48a1d039103b251
                                                              • Instruction Fuzzy Hash: 85C092A6EAE088D689305CCC74010F9F33DF6CB0B6F413862CA1EAB02245308E291BD9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107D2B1 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 294 107d2b1-107d34f GetCurrentProcess 299 107d351-107d357 294->299 300 107d358-107d38c GetCurrentThread 294->300 299->300 301 107d395-107d3c9 GetCurrentProcess 300->301 302 107d38e-107d394 300->302 303 107d3d2-107d3ed call 107d491 301->303 304 107d3cb-107d3d1 301->304 302->301 308 107d3f3-107d422 GetCurrentThreadId 303->308 304->303 309 107d424-107d42a 308->309 310 107d42b-107d48d 308->310 309->310
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0107D33E
                                                              • GetCurrentThread.KERNEL32 ref: 0107D37B
                                                              • GetCurrentProcess.KERNEL32 ref: 0107D3B8
                                                              • GetCurrentThreadId.KERNEL32 ref: 0107D411
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 87b169ed89a2df5fd251385b58a85770be27d6d4673fe7759ab25e45dbaf721b
                                                              • Instruction ID: dc02e38af1ea3cd08880b0655193fcf846aa3f81fb7f692df9cf317013a0d20e
                                                              • Opcode Fuzzy Hash: 87b169ed89a2df5fd251385b58a85770be27d6d4673fe7759ab25e45dbaf721b
                                                              • Instruction Fuzzy Hash: 995137B0D0034A8FDB14DFA9D548BDEBBF1AF88314F20C469E459A72A0DB749984CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107D2C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 317 107d2c0-107d34f GetCurrentProcess 321 107d351-107d357 317->321 322 107d358-107d38c GetCurrentThread 317->322 321->322 323 107d395-107d3c9 GetCurrentProcess 322->323 324 107d38e-107d394 322->324 325 107d3d2-107d3ed call 107d491 323->325 326 107d3cb-107d3d1 323->326 324->323 330 107d3f3-107d422 GetCurrentThreadId 325->330 326->325 331 107d424-107d42a 330->331 332 107d42b-107d48d 330->332 331->332
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0107D33E
                                                              • GetCurrentThread.KERNEL32 ref: 0107D37B
                                                              • GetCurrentProcess.KERNEL32 ref: 0107D3B8
                                                              • GetCurrentThreadId.KERNEL32 ref: 0107D411
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: fd9d047caa9c385aff6fa4857b9a3090c2fa7baa481c3133bba062a9be83b40b
                                                              • Instruction ID: 6ef4dadabc26242e80c578195f8bd92dc366a49befca58b9460873eaa0277f8e
                                                              • Opcode Fuzzy Hash: fd9d047caa9c385aff6fa4857b9a3090c2fa7baa481c3133bba062a9be83b40b
                                                              • Instruction Fuzzy Hash: 8D5135B0D0024A8FDB14DFA9D548BDEBBF1AF48304F20C469E059A72A0DB74A984CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107B028 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 339 107b028-107b037 340 107b063-107b067 339->340 341 107b039-107b046 call 1079a94 339->341 343 107b07b-107b0bc 340->343 344 107b069-107b073 340->344 347 107b05c 341->347 348 107b048 341->348 350 107b0be-107b0c6 343->350 351 107b0c9-107b0d7 343->351 344->343 347->340 394 107b04e call 107b2b1 348->394 395 107b04e call 107b2c0 348->395 350->351 352 107b0fb-107b0fd 351->352 353 107b0d9-107b0de 351->353 358 107b100-107b107 352->358 355 107b0e0-107b0e7 call 107ac90 353->355 356 107b0e9 353->356 354 107b054-107b056 354->347 357 107b198-107b258 354->357 362 107b0eb-107b0f9 355->362 356->362 389 107b260-107b28b GetModuleHandleW 357->389 390 107b25a-107b25d 357->390 360 107b114-107b11b 358->360 361 107b109-107b111 358->361 365 107b11d-107b125 360->365 366 107b128-107b131 call 107aca0 360->366 361->360 362->358 365->366 370 107b133-107b13b 366->370 371 107b13e-107b143 366->371 370->371 372 107b145-107b14c 371->372 373 107b161-107b16e 371->373 372->373 375 107b14e-107b15e call 107acb0 call 107acc0 372->375 380 107b191-107b197 373->380 381 107b170-107b18e 373->381 375->373 381->380 391 107b294-107b2a8 389->391 392 107b28d-107b293 389->392 390->389 392->391 394->354 395->354
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0107B27E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID: N$N
                                                              • API String ID: 4139908857-1044518071
                                                              • Opcode ID: b0f21819ddd4f52bf90b8dab8d944382c1a9219f3f3b2be19c8f1ad2c33ae59c
                                                              • Instruction ID: dd2bac0dffb635e0f858c66fe3f7cb3ab8fbcbe396499ec6e90040199729f749
                                                              • Opcode Fuzzy Hash: b0f21819ddd4f52bf90b8dab8d944382c1a9219f3f3b2be19c8f1ad2c33ae59c
                                                              • Instruction Fuzzy Hash: B3715370A00B058FE765DF2AD45579ABBF1FF88304F008A29D48AD7B50DB35E945CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535688 Relevance: 3.9, Strings: 3, Instructions: 106COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 495 7535688-75356a7 496 75356e0-7535726 495->496 497 75356a9-75356ac 495->497 503 753572d-7535737 496->503 498 75356b5-75356cc 497->498 499 75356ae 497->499 506 75357eb-75357fb 498->506 509 75356d2-75356de 498->509 499->496 499->498 501 75357d6-75357ea 499->501 502 7535794-753579a 499->502 499->503 504 753579e-75357aa 502->504 505 753579c 502->505 503->506 507 753573d-7535751 503->507 510 75357ac-75357bb 504->510 505->510 507->506 513 7535757-7535765 507->513 509->497 520 75357d3 510->520 521 75357bd-75357c3 510->521 513->506 516 753576b-753577e 513->516 516->506 519 7535780-753578f 516->519 519->497 520->501 522 75357c7-75357c9 521->522 523 75357c5 521->523 522->520 523->520
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8bq$8bq$Te^q
                                                              • API String ID: 0-800215726
                                                              • Opcode ID: e0e312e7754b8ea70e4779a15bb8dbf576f16d674520324dec416865b9b7faa6
                                                              • Instruction ID: dd8cd6100098f6d75679f8b34844ccc8e082f794cca75055c9fbfa30e4f952a3
                                                              • Opcode Fuzzy Hash: e0e312e7754b8ea70e4779a15bb8dbf576f16d674520324dec416865b9b7faa6
                                                              • Instruction Fuzzy Hash: AB31C0B4B11205DFD7008B69C844AFA7BF2BF85346F24807AD109AB3A1EB79C952C791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075317D0 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 622 75317d0-75317ee 623 75317f0 622->623 624 75317f5-75317fa 622->624 623->624 636 75317fd call 75318b9 624->636 637 75317fd call 75318c8 624->637 625 7531803 626 753180a-7531826 625->626 627 7531828 626->627 628 753182f-7531830 626->628 627->625 627->628 629 7531832-7531846 627->629 630 7531876-7531898 627->630 631 753189d-75318a1 627->631 628->631 633 7531859-7531860 629->633 634 7531848-7531857 629->634 630->626 635 7531867-7531874 633->635 634->635 635->626 636->625 637->625
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 3H5$3H5
                                                              • API String ID: 0-2752242361
                                                              • Opcode ID: 33d389a938ea6b602bcd735c42c74c47c3c47c92585191537a76eb635df5fdd0
                                                              • Instruction ID: e6df79e4b2cb2373ed16872910fc190688a683d81810ba82c9d27ce0128e10e2
                                                              • Opcode Fuzzy Hash: 33d389a938ea6b602bcd735c42c74c47c3c47c92585191537a76eb635df5fdd0
                                                              • Instruction Fuzzy Hash: B3214AB0D10A09DFDB44CFA9D5409AEFBF1FF89300F14C56AD508A7264E7309A45CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1C04 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 638 75d1c04-75d1ca5 640 75d1cde-75d1cfe 638->640 641 75d1ca7-75d1cb1 638->641 648 75d1d37-75d1d66 640->648 649 75d1d00-75d1d0a 640->649 641->640 642 75d1cb3-75d1cb5 641->642 643 75d1cd8-75d1cdb 642->643 644 75d1cb7-75d1cc1 642->644 643->640 646 75d1cc5-75d1cd4 644->646 647 75d1cc3 644->647 646->646 650 75d1cd6 646->650 647->646 655 75d1d9f-75d1e59 CreateProcessA 648->655 656 75d1d68-75d1d72 648->656 649->648 651 75d1d0c-75d1d0e 649->651 650->643 653 75d1d31-75d1d34 651->653 654 75d1d10-75d1d1a 651->654 653->648 657 75d1d1c 654->657 658 75d1d1e-75d1d2d 654->658 669 75d1e5b-75d1e61 655->669 670 75d1e62-75d1ee8 655->670 656->655 660 75d1d74-75d1d76 656->660 657->658 658->658 659 75d1d2f 658->659 659->653 661 75d1d99-75d1d9c 660->661 662 75d1d78-75d1d82 660->662 661->655 664 75d1d84 662->664 665 75d1d86-75d1d95 662->665 664->665 665->665 667 75d1d97 665->667 667->661 669->670 680 75d1ef8-75d1efc 670->680 681 75d1eea-75d1eee 670->681 682 75d1f0c-75d1f10 680->682 683 75d1efe-75d1f02 680->683 681->680 684 75d1ef0 681->684 686 75d1f20-75d1f24 682->686 687 75d1f12-75d1f16 682->687 683->682 685 75d1f04 683->685 684->680 685->682 689 75d1f36-75d1f3d 686->689 690 75d1f26-75d1f2c 686->690 687->686 688 75d1f18 687->688 688->686 691 75d1f3f-75d1f4e 689->691 692 75d1f54 689->692 690->689 691->692 693 75d1f55 692->693 693->693
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075D1E46
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 4edbf852d7c87727e8d57544e5ad2aab6e8fee6ead19414b7e71861513412104
                                                              • Instruction ID: 29091b5a14b21606cfc5ee3990d37c988057e7dcedefdcec62019c328882edb8
                                                              • Opcode Fuzzy Hash: 4edbf852d7c87727e8d57544e5ad2aab6e8fee6ead19414b7e71861513412104
                                                              • Instruction Fuzzy Hash: 2AA15DB1D0061ADFDB20DFA8C8417DDBBB2FF48314F15856AD809A7290DB749985CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1C10 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 695 75d1c10-75d1ca5 697 75d1cde-75d1cfe 695->697 698 75d1ca7-75d1cb1 695->698 705 75d1d37-75d1d66 697->705 706 75d1d00-75d1d0a 697->706 698->697 699 75d1cb3-75d1cb5 698->699 700 75d1cd8-75d1cdb 699->700 701 75d1cb7-75d1cc1 699->701 700->697 703 75d1cc5-75d1cd4 701->703 704 75d1cc3 701->704 703->703 707 75d1cd6 703->707 704->703 712 75d1d9f-75d1e59 CreateProcessA 705->712 713 75d1d68-75d1d72 705->713 706->705 708 75d1d0c-75d1d0e 706->708 707->700 710 75d1d31-75d1d34 708->710 711 75d1d10-75d1d1a 708->711 710->705 714 75d1d1c 711->714 715 75d1d1e-75d1d2d 711->715 726 75d1e5b-75d1e61 712->726 727 75d1e62-75d1ee8 712->727 713->712 717 75d1d74-75d1d76 713->717 714->715 715->715 716 75d1d2f 715->716 716->710 718 75d1d99-75d1d9c 717->718 719 75d1d78-75d1d82 717->719 718->712 721 75d1d84 719->721 722 75d1d86-75d1d95 719->722 721->722 722->722 724 75d1d97 722->724 724->718 726->727 737 75d1ef8-75d1efc 727->737 738 75d1eea-75d1eee 727->738 739 75d1f0c-75d1f10 737->739 740 75d1efe-75d1f02 737->740 738->737 741 75d1ef0 738->741 743 75d1f20-75d1f24 739->743 744 75d1f12-75d1f16 739->744 740->739 742 75d1f04 740->742 741->737 742->739 746 75d1f36-75d1f3d 743->746 747 75d1f26-75d1f2c 743->747 744->743 745 75d1f18 744->745 745->743 748 75d1f3f-75d1f4e 746->748 749 75d1f54 746->749 747->746 748->749 750 75d1f55 749->750 750->750
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075D1E46
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 639b80288dbcd1e271b9bfd174985226e9b9d3eba6c31a7f26d06dd45c4ad8d4
                                                              • Instruction ID: 390c4e43d085c78050c09ad5c9078051e9cf0265a3d95826d6499c061e9aa33f
                                                              • Opcode Fuzzy Hash: 639b80288dbcd1e271b9bfd174985226e9b9d3eba6c31a7f26d06dd45c4ad8d4
                                                              • Instruction Fuzzy Hash: 2E914CB1D0061EDFDB20DFA8C8417DDBBB2BF48314F1585AAE809A7290DB749985CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 010744C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 836 10744c4-10759d9 CreateActCtxA 839 10759e2-1075a3c 836->839 840 10759db-10759e1 836->840 847 1075a3e-1075a41 839->847 848 1075a4b-1075a4f 839->848 840->839 847->848 849 1075a51-1075a5d 848->849 850 1075a60 848->850 849->850 851 1075a61 850->851 851->851
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 010759C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 1b8093705670244176e1965dd04e5569340d3ddbf64e00706bd3c546f37a04fe
                                                              • Instruction ID: 2427b8c8a86b73194c60a1f4cae879bbe3c9056609a3c2fa6db490076beaf869
                                                              • Opcode Fuzzy Hash: 1b8093705670244176e1965dd04e5569340d3ddbf64e00706bd3c546f37a04fe
                                                              • Instruction Fuzzy Hash: CD41E0B0C00719DBDB24DFA9C884ACEBBF5BF49304F2480AAD448AB255DB756946CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 853 107590c-10759d9 CreateActCtxA 855 10759e2-1075a3c 853->855 856 10759db-10759e1 853->856 863 1075a3e-1075a41 855->863 864 1075a4b-1075a4f 855->864 856->855 863->864 865 1075a51-1075a5d 864->865 866 1075a60 864->866 865->866 867 1075a61 866->867 867->867
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 010759C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: cf12cb53ad7c8be98763ede88dd7aa28c99ee31b40b1fd0a1a5a5aef2377bafa
                                                              • Instruction ID: 338c70fa47734d9cd97640704b8f3dddb50dc591c13e299447aec3935103e0a1
                                                              • Opcode Fuzzy Hash: cf12cb53ad7c8be98763ede88dd7aa28c99ee31b40b1fd0a1a5a5aef2377bafa
                                                              • Instruction Fuzzy Hash: 6941EFB0C00719DFDB24DFA9C884ADEBBF5BF48304F2480AAD448AB251DB755986CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D4AD0 Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 075D4B35
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: c0120d4fa936dc956c7d90c67fc8d9f8d960fcd647d4bf2c9fb5d3d4a0f9589d
                                                              • Instruction ID: 4205a819de33b7a844238402834ae9019d639867886ac4fb5406314b6a83b720
                                                              • Opcode Fuzzy Hash: c0120d4fa936dc956c7d90c67fc8d9f8d960fcd647d4bf2c9fb5d3d4a0f9589d
                                                              • Instruction Fuzzy Hash: CC3102B5900249DFCB20DF9AD589BDEBFF8FB48324F10841AD958A7240D375A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1980 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075D1A18
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: df4a8f8d77b48126fec723589389150024e9f24da5688468a4fe425e960e1ca7
                                                              • Instruction ID: cdbeb3d12568e4ced9481f0b940f2050c72091466f40182678a8108abd50495d
                                                              • Opcode Fuzzy Hash: df4a8f8d77b48126fec723589389150024e9f24da5688468a4fe425e960e1ca7
                                                              • Instruction Fuzzy Hash: A52148B59002199FCB10DFA9C9857DEBBF5FF48310F10842AE559A7240C7789945CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1988 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075D1A18
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: efb7f08c0c2db154bac139d5f57c577787e6b3598b13d0c8da848c92f0ce7e10
                                                              • Instruction ID: 74e68b0511b576e3f46b63e7b5c187e5399cd91883d39d52e0ee6056009ad2c1
                                                              • Opcode Fuzzy Hash: efb7f08c0c2db154bac139d5f57c577787e6b3598b13d0c8da848c92f0ce7e10
                                                              • Instruction Fuzzy Hash: 712136B590035D9FCB10CFA9C885BDEBBF5FF48310F10842AE958A7250C7789984CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D13B0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075D1436
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 3ce86cc960c86d1015a1ceea5ae6a17ea5f3ff515ff62cfc1161243897311ea3
                                                              • Instruction ID: 6cc483c020fdeaba027feecbcc22a47de72cca380b9b9c71c6d9f78c23e74683
                                                              • Opcode Fuzzy Hash: 3ce86cc960c86d1015a1ceea5ae6a17ea5f3ff515ff62cfc1161243897311ea3
                                                              • Instruction Fuzzy Hash: 1B2165B6D002098FDB20DFA9C5857EEBBF4EF48320F14842AD459A7241DB789985CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1A70 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075D1AF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 52710471c48d75d94321bf1ac8a66440ddb0fab555534231465ca9bc9ad90947
                                                              • Instruction ID: 27f831309d05575a6b1787662a9f8cd022f6fd49ce4f937dd4b789fba38a6f88
                                                              • Opcode Fuzzy Hash: 52710471c48d75d94321bf1ac8a66440ddb0fab555534231465ca9bc9ad90947
                                                              • Instruction Fuzzy Hash: 9F214AB19003599FDB10DFA9C840AEEBBF5FF48320F10852AE569A7250C7389941CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107D501 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0107D58F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: cac41435bff03b2247bbcbccccaef6409b6e44df52605b86916704a238fa2f45
                                                              • Instruction ID: bbacb0ceb8d337db00a7e518e6b01b85c70605858ae379a515c2c6c8d61feb46
                                                              • Opcode Fuzzy Hash: cac41435bff03b2247bbcbccccaef6409b6e44df52605b86916704a238fa2f45
                                                              • Instruction Fuzzy Hash: EE21E3B59002199FDB10CFAAD584ADEBFF8EB48310F14841AE958A7350D374A940CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D13B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075D1436
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: deb565ea88b8ed536f28fada732524f3fefb547f9e99040fdb87b9603a5a2c98
                                                              • Instruction ID: 8357869c349ad9ac360f4c643ab8ac55c1703ec4d1520c5a090530d62be79c82
                                                              • Opcode Fuzzy Hash: deb565ea88b8ed536f28fada732524f3fefb547f9e99040fdb87b9603a5a2c98
                                                              • Instruction Fuzzy Hash: D92118B1D002098FDB10DFAAC4857EEBBF4EF48324F54842AD459A7241D7789985CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1A78 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075D1AF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: b51e54d49983789940ee3d1710f887651e5e14986552514c6fa98bf15db98bea
                                                              • Instruction ID: 430f116a8e2b62783fc53e05999cb7cef47348864cd09540534155fa18910528
                                                              • Opcode Fuzzy Hash: b51e54d49983789940ee3d1710f887651e5e14986552514c6fa98bf15db98bea
                                                              • Instruction Fuzzy Hash: 1D2139B19003599FDB10DFAAC884ADEFBF5FF48310F10842AE559A7250C7789944CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107D508 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0107D58F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 99990b8310acc97990ea80b450b238b41a1399c385fc8f8e20b20395aa237c49
                                                              • Instruction ID: 03e0dc2fedae6160c678687111f0796eb5e1373426ce5500a8baf2d255e72d1d
                                                              • Opcode Fuzzy Hash: 99990b8310acc97990ea80b450b238b41a1399c385fc8f8e20b20395aa237c49
                                                              • Instruction Fuzzy Hash: 8D21E4B5D002189FDB10CFAAD584ADEBFF8EB48310F14841AE958A3350D374A940CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107ACDC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0107B2F9,00000800,00000000,00000000), ref: 0107B50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 23a9b17ec82d999549e49848bf76027da75fa3651f9c809a68d17e42601c3d05
                                                              • Instruction ID: 7b4dbfec4675c8bf6dddb987acb1f235374b93957fda02e4ed59ae0baf1de3ba
                                                              • Opcode Fuzzy Hash: 23a9b17ec82d999549e49848bf76027da75fa3651f9c809a68d17e42601c3d05
                                                              • Instruction Fuzzy Hash: A51126B6D003089FDB20CFAAC448BDEFBF4EB48310F10842AD959A7210C775A545CFA9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D18C2 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075D1936
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: e04f490d91bf7c6d2d4173da9b2641675494d44192839fcbb0661ea02089f3f6
                                                              • Instruction ID: 54ebfed5bd8d0deeac70f894ace4bfe87fb411cb757b66e4d794bcbb0a949198
                                                              • Opcode Fuzzy Hash: e04f490d91bf7c6d2d4173da9b2641675494d44192839fcbb0661ea02089f3f6
                                                              • Instruction Fuzzy Hash: 25116AB6900209CFCB10DFA9C8457DEBBF5EF48320F10881AD559A7250C7359545CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107B498 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0107B2F9,00000800,00000000,00000000), ref: 0107B50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: db1f94bcf0ec2229181ce6832feb0f7d9510824d389fd304b10f1fd7627454d2
                                                              • Instruction ID: 3d387cd5b6f0953eefb555ebaf630dfc00152381bf0116f007098f899f7d9f89
                                                              • Opcode Fuzzy Hash: db1f94bcf0ec2229181ce6832feb0f7d9510824d389fd304b10f1fd7627454d2
                                                              • Instruction Fuzzy Hash: 791114B6D003488FDB20CFAAD544BDEFBF4EB88310F14842AD859A7210C375A545CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D18C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075D1936
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: cf5a08b91c08a60a246c65a13bdb06ab99566728666ab7b248bb50aabe4bfafa
                                                              • Instruction ID: 7407a205e0ff9692fcff1403612c72b21d21944808aa2deb8c6352bf4e51a2a0
                                                              • Opcode Fuzzy Hash: cf5a08b91c08a60a246c65a13bdb06ab99566728666ab7b248bb50aabe4bfafa
                                                              • Instruction Fuzzy Hash: 3B113AB59002499FCB10DFA9C844BDEBFF5EF48320F108419D559A7250C7759944CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1300 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 24bc4bd710a218fe44e8e5068e74182accf38e56fd63df483fb36fa7a3b79b11
                                                              • Instruction ID: 679169e39fa86c22ed93ff5fc25570ad93c1b0202d0fd11d53c08ee60aabef4a
                                                              • Opcode Fuzzy Hash: 24bc4bd710a218fe44e8e5068e74182accf38e56fd63df483fb36fa7a3b79b11
                                                              • Instruction Fuzzy Hash: D7116AB5D002098FDB20DFA9C4457DEFBF5EF88324F24841AC559A7250C779A944CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1308 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 2858ef5b94aa6f580062d171a9c84e18de03073f124424935673825b28e41d3d
                                                              • Instruction ID: cf47807709e76e77d3273179e0f0d573b9a9b6fb04a1b68bd3c0f4e9266daf35
                                                              • Opcode Fuzzy Hash: 2858ef5b94aa6f580062d171a9c84e18de03073f124424935673825b28e41d3d
                                                              • Instruction Fuzzy Hash: 511136B19002498FCB20DFAEC4457DEFBF5EF88324F20842AD459A7250CB79A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107B218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0107B27E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 21642bfb711ce94644a36cf12ab1282b89d1481972860d528dc8781700bea69c
                                                              • Instruction ID: 7cb6d4caac0bb25be16acd60c38279fd1cb44d093301aabde099f3bdec2008dd
                                                              • Opcode Fuzzy Hash: 21642bfb711ce94644a36cf12ab1282b89d1481972860d528dc8781700bea69c
                                                              • Instruction Fuzzy Hash: 4B11E0B6C013498FDB10CF9AD444ADEFBF4EB88324F10846AD969A7610C379A545CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D4AD8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 075D4B35
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 2da558d0ffee5b8b88c72577f9035cd97568fb8473a7a4711c1b2b0266846f9f
                                                              • Instruction ID: 3188e937194e40e6c4c629bdf54de7cdac0fee2073d1dd943b9faaaad4d231ea
                                                              • Opcode Fuzzy Hash: 2da558d0ffee5b8b88c72577f9035cd97568fb8473a7a4711c1b2b0266846f9f
                                                              • Instruction Fuzzy Hash: 6E11D3B58003499FDB10DF9AD489BDEFBF8FB48324F10841AD958A7250C375A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535928 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te^q
                                                              • API String ID: 0-671973202
                                                              • Opcode ID: 33e57625a3722393c1eecae53d9a064fb774c98e2ed04fd007e068c4f280038f
                                                              • Instruction ID: 4cf2760d76c8acf1282b6b7bfd1943f9e5063e716afcc503a8c80fd34685a961
                                                              • Opcode Fuzzy Hash: 33e57625a3722393c1eecae53d9a064fb774c98e2ed04fd007e068c4f280038f
                                                              • Instruction Fuzzy Hash: A3517071B002068FCB15DB7998889BEBBF6FFC42207258969E459DB361EB309D058790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753CD00 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: r
                                                              • API String ID: 0-1812594589
                                                              • Opcode ID: 92d64dc26d96595cfe2418e8601b65bb56c34ca1ec877b0fca23684679c734af
                                                              • Instruction ID: 27e9df7c98a14615f093fb6326c7e14217617de8d8345607ed013fd27ef9b87d
                                                              • Opcode Fuzzy Hash: 92d64dc26d96595cfe2418e8601b65bb56c34ca1ec877b0fca23684679c734af
                                                              • Instruction Fuzzy Hash: 005109B0D19118DBCB44CFA9D4445EDBBBABF8E301F10D959E419BB2A1CB349941DF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753B280 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te^q
                                                              • API String ID: 0-671973202
                                                              • Opcode ID: 3a9a39a7f33369ce022bc072e3048ae63d09078b92bc20b29621706f7970bb5f
                                                              • Instruction ID: b8ff09c7ff8f0777adc0eb4cd1fe03b5c296182e31a5896d5a4a9f5a18826671
                                                              • Opcode Fuzzy Hash: 3a9a39a7f33369ce022bc072e3048ae63d09078b92bc20b29621706f7970bb5f
                                                              • Instruction Fuzzy Hash: D44103F4E102188BDB14DFAAD9457EDBBF6BF89300F14D42AD409AB2A4DB345945CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753390F Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: O};5
                                                              • API String ID: 0-3558557551
                                                              • Opcode ID: 7058231d722f5b214313348d26c5e8c9dc0be06b893fe455d5691734bc47915e
                                                              • Instruction ID: c950626dd45ec0b5bcd932721c256690b7b9eab416651f086da5c5dc84222ea6
                                                              • Opcode Fuzzy Hash: 7058231d722f5b214313348d26c5e8c9dc0be06b893fe455d5691734bc47915e
                                                              • Instruction Fuzzy Hash: 3241CEB0A1524AEFCB44CF94E5888AEBFB1FF8A200F60D8D5D055AB3A4D7309A50CB10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753CCFD Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: r
                                                              • API String ID: 0-1812594589
                                                              • Opcode ID: 94087d61a3be57b98fe46a503cbffa985f8365a64b63f659e0a26bf7d2bf445c
                                                              • Instruction ID: dbedc5975438930f74caeac87d57a66bba9061d75db4e1088172bcdf7e3df229
                                                              • Opcode Fuzzy Hash: 94087d61a3be57b98fe46a503cbffa985f8365a64b63f659e0a26bf7d2bf445c
                                                              • Instruction Fuzzy Hash: C8313DB4D29214DBCB49CFAAC4444EDBBBABF8E301F00D969E41A772A1C7309501DF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753B350 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te^q
                                                              • API String ID: 0-671973202
                                                              • Opcode ID: 230a2aea59c93658250a4689afde102c77c00c871eb720424e1f11ccee915d63
                                                              • Instruction ID: fa061808d08e3b4e19eeb1fc5f6cea5306ecf58b0d3321e7f20b8895959d4cf6
                                                              • Opcode Fuzzy Hash: 230a2aea59c93658250a4689afde102c77c00c871eb720424e1f11ccee915d63
                                                              • Instruction Fuzzy Hash: 274117F4E152488FDB04DFEAD9446EDBBF6BF89300F24D42AD409AB265EB345905CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07533920 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: O};5
                                                              • API String ID: 0-3558557551
                                                              • Opcode ID: 1e2875bbe5398a2ed7d577663310503140f1e3137f226a14f924ea34fd870c2c
                                                              • Instruction ID: 9fca5a2fbaae1ecda4218015d3c786d2e520e3cf5e064e57eea8d29286f9021b
                                                              • Opcode Fuzzy Hash: 1e2875bbe5398a2ed7d577663310503140f1e3137f226a14f924ea34fd870c2c
                                                              • Instruction Fuzzy Hash: 7C418DB0A25209EFDB44CF99E5888AEBFB1FF89200F60D895D059A7368D7309A50CB14
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753B360 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te^q
                                                              • API String ID: 0-671973202
                                                              • Opcode ID: 1d6264d92b606d7fcc583c0dc7dce9a7da1d369245d2ca58ecf7d12e1106f7d4
                                                              • Instruction ID: 4c96d58abe83eb6f77e98e28cae9e3cee208788af468704a7b80cfe9cc03c2bc
                                                              • Opcode Fuzzy Hash: 1d6264d92b606d7fcc583c0dc7dce9a7da1d369245d2ca58ecf7d12e1106f7d4
                                                              • Instruction Fuzzy Hash: D631C8B4E152188BDB04DFEAD9446EEBBF6BF89300F14D42AD409AB364DB345945CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BCD0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: x
                                                              • API String ID: 0-2363233923
                                                              • Opcode ID: 42962426be816879e2fe72dfeb4f6c7d75be57df011405cd4adbf769c04a6461
                                                              • Instruction ID: b8d9b63ff01babd8e76c1c4de018648f1b42c33d21524423526061c5bd38cd3b
                                                              • Opcode Fuzzy Hash: 42962426be816879e2fe72dfeb4f6c7d75be57df011405cd4adbf769c04a6461
                                                              • Instruction Fuzzy Hash: 6D316FF4A19245CFCB41CBA8C585AEDBFF0FF4A310F24499AD418A73A2D3309A41CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075317C0 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 3H5
                                                              • API String ID: 0-3899204960
                                                              • Opcode ID: b128823d16c6cc201f005aad70e534ee24daa41d55569b4dc9a325362d8652be
                                                              • Instruction ID: 60751e6fff22b51f59cbd8101b4e3df2b56c3184cc2f6220f7c0b19257934967
                                                              • Opcode Fuzzy Hash: b128823d16c6cc201f005aad70e534ee24daa41d55569b4dc9a325362d8652be
                                                              • Instruction Fuzzy Hash: 7F217AB0E11A0ADFDB05CFA9D5405AEFBF1FF8A200F24C5AAD104AB360D7308A45CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753B3F2 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te^q
                                                              • API String ID: 0-671973202
                                                              • Opcode ID: caa2d10f5698c77e43d9ee32a17cfabd9af6c7db60912ce0e70693169317af47
                                                              • Instruction ID: 112e254b8aec8f2c15adafa74c0d8faab156cb00321b29719797a5c7380021cf
                                                              • Opcode Fuzzy Hash: caa2d10f5698c77e43d9ee32a17cfabd9af6c7db60912ce0e70693169317af47
                                                              • Instruction Fuzzy Hash: 01116A75E002199FCB08DFE9D8849ADBBB2FB88310F10812AE919AB365C735A955DF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753619C Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93ce24fd46ae9d0e083a7e55410996ebccdea13c1c533e3ee813e0f5ca69b749
                                                              • Instruction ID: b0250d7d8232610b01e7e46d1061786b046136d77e62253d4034235cf324b12f
                                                              • Opcode Fuzzy Hash: 93ce24fd46ae9d0e083a7e55410996ebccdea13c1c533e3ee813e0f5ca69b749
                                                              • Instruction Fuzzy Hash: 4D51B4B1A05349AFCB11DFA8D8459EEBFF5FF49210F1484AAE805E7222D735D901CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07537C0D Relevance: .2, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b96eec396ffeaea9a88dd58d7fbcb9527cbc9485ec105df975c6d3af06375fbb
                                                              • Instruction ID: f81e3643ac4990b0c641c814098dbd946b29651485f85f6b177fb4713d0f3419
                                                              • Opcode Fuzzy Hash: b96eec396ffeaea9a88dd58d7fbcb9527cbc9485ec105df975c6d3af06375fbb
                                                              • Instruction Fuzzy Hash: 7F519FB0E1020A9BEB049FA8C8907BEB7B2FF48704F108926E551972E5DB349D42DB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BB60 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aea8f142c293b70f320d2b3ab56bb28f11eda6134c9d0f0b8a8e16e6c4ce4696
                                                              • Instruction ID: aa03d907ca96f321d5672370f91442b1de4f3c60abb488841fa85b6749caab19
                                                              • Opcode Fuzzy Hash: aea8f142c293b70f320d2b3ab56bb28f11eda6134c9d0f0b8a8e16e6c4ce4696
                                                              • Instruction Fuzzy Hash: 9B4146F4E19209CBDB08CF9AE4546EEBBF6FF89301F14D02AE409A32A1DB344941CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075337B8 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd5432129b44ada03a1aec80cdc04e13a25d73001a32a66a2c49de7aa73fa8db
                                                              • Instruction ID: 5e92a2137c4d4484418eb94e2358b9f75dd20c787a40b5ae4317938053d050f6
                                                              • Opcode Fuzzy Hash: cd5432129b44ada03a1aec80cdc04e13a25d73001a32a66a2c49de7aa73fa8db
                                                              • Instruction Fuzzy Hash: 8D41B1B8919784CFD706CF69E484988BFB0AF8A211F0A80C6D484DB3B3D6349985C712
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07533AA8 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dafea94a27e937987bc837e21f28955233fce16dc7c9f5da70d37721681059b1
                                                              • Instruction ID: ea1b9ad8c8c6d0aa4f8ca30d5bbe9e36ccca0653bd5af29115a5f6f36344e8ad
                                                              • Opcode Fuzzy Hash: dafea94a27e937987bc837e21f28955233fce16dc7c9f5da70d37721681059b1
                                                              • Instruction Fuzzy Hash: 2F414AB4E1020A9FCB04CF95D8419EEFBB2FF89310F209526E515BB3A4D7719A45CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07533A98 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15fa12b081e2548b6f096c04e7d2b08e20f449833e82e33d084aff60a92bfd45
                                                              • Instruction ID: c5850f90ba1d9f020d345adaebb26f3b9b6705e53948837320ba841ad81ae9fa
                                                              • Opcode Fuzzy Hash: 15fa12b081e2548b6f096c04e7d2b08e20f449833e82e33d084aff60a92bfd45
                                                              • Instruction Fuzzy Hash: 56418AB4E0020A9FCB04CF95D8419EEBBB2FF89310F24952AD415BB3A0D7709A44CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BB4F Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7991ad2e19ac95edead8f1910e45ebdf6a0024a40fb6d8527dc07ace481ae198
                                                              • Instruction ID: 563fabbaa0a212f23b39221267d581a67f4b2430978087807279b060c6839c75
                                                              • Opcode Fuzzy Hash: 7991ad2e19ac95edead8f1910e45ebdf6a0024a40fb6d8527dc07ace481ae198
                                                              • Instruction Fuzzy Hash: E8316DF4E09209CFDB09CB96E5542EEBBF6FF89301F14D06AE409A72A1DB340941CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07538908 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 852c19bdc3106dd17942dcc9aa2a7adeee9ef5f9c844c096596dc5dfa4b06d85
                                                              • Instruction ID: 4a5c4d999e41d1b08574c58c35336ef4c5ee10f42d331696f987d7229face284
                                                              • Opcode Fuzzy Hash: 852c19bdc3106dd17942dcc9aa2a7adeee9ef5f9c844c096596dc5dfa4b06d85
                                                              • Instruction Fuzzy Hash: CF317AB2E1452ACBC7188BA9C8406FEB7B2FF44314F148126F465D72B1D738F841D662
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075387E8 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 87f7a8b1b9a1a418bad7ba96a4ee231f0e9d38e3041598e3ec27c0c052d7ae65
                                                              • Instruction ID: a5b3fb4e69a3f625b5a41eaeb4d674ab2030d93b0940dff7ac2fb7d8d72bd34e
                                                              • Opcode Fuzzy Hash: 87f7a8b1b9a1a418bad7ba96a4ee231f0e9d38e3041598e3ec27c0c052d7ae65
                                                              • Instruction Fuzzy Hash: B321F470B542459FE71C8B1589057A6B7A2BB82B05F64C86BF1058F2A2CA36EC85C761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E0D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1805520308.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e0d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 45bbcd6230670b2e361979a7491d073c97c619922b1b95eed13c5c5fe94dc306
                                                              • Instruction ID: 09c5c597f165f542d36177be75b1b7270db80f5a7e24e2d37559e73c308c8e66
                                                              • Opcode Fuzzy Hash: 45bbcd6230670b2e361979a7491d073c97c619922b1b95eed13c5c5fe94dc306
                                                              • Instruction Fuzzy Hash: EC212271508240DFCB05DF54DDC0B2ABF65FB98328F20C569EC096B296C336D896CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753E89B Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0fc5304c73dfb9586ed2bc153f4cf5457ef7d505bc2df9ded1081606bb35d304
                                                              • Instruction ID: 660baabcb414622082a7e326db6c5af88d550ee8dd3ed5430199b3dd719dc1bb
                                                              • Opcode Fuzzy Hash: 0fc5304c73dfb9586ed2bc153f4cf5457ef7d505bc2df9ded1081606bb35d304
                                                              • Instruction Fuzzy Hash: A4312C74A14209CFC700DFA5E59A9ACBBF5FF49308F149665E00A9B3AADB749C44CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E1D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1805595635.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e1d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aef4ce3f0a2f7c63077845dfdac6dabc60fea700f3ffc9c4e91c9dda259d160c
                                                              • Instruction ID: 61839bca044ae0997616f96b89a26d6b0649ea9a65d08bb5d8c6f5201447fb2d
                                                              • Opcode Fuzzy Hash: aef4ce3f0a2f7c63077845dfdac6dabc60fea700f3ffc9c4e91c9dda259d160c
                                                              • Instruction Fuzzy Hash: BD212971508204EFDB05DF54DDC0BA6BBA5FB84318F30C66DD8195B265C336D886CA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E1D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1805595635.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e1d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd20d98d1a94a628e2ad89daa78c8ae46fde52b46f820a6c97621cdaf9c1cc16
                                                              • Instruction ID: e6829c89f28ddae1079c16fe15ad21d89ffb9bd4cd8dd5931ce59f50b5180aef
                                                              • Opcode Fuzzy Hash: cd20d98d1a94a628e2ad89daa78c8ae46fde52b46f820a6c97621cdaf9c1cc16
                                                              • Instruction Fuzzy Hash: 7021F275608200DFCB14DF14D984BA6BBA6FB88318F20C56DD80A5B296C33AD887CA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753C3A5 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17cd5043d798f698e27d31546759bf16059164aaec3cb47213886f857017623e
                                                              • Instruction ID: 731882cb9815d8fb7f30a1e670e2f6441ea0e84fdbf10b97863b9640ad04aafe
                                                              • Opcode Fuzzy Hash: 17cd5043d798f698e27d31546759bf16059164aaec3cb47213886f857017623e
                                                              • Instruction Fuzzy Hash: 172127B4A18259CFDB10CFA4C584AEDBBB6BF4A310F209595D409BB2A1C630AD41CF71
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535ACC Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91da5c4239701e76db5bf5be78033a8af31f2ceac36942981313d6393a33a172
                                                              • Instruction ID: 5d175e4466f9700fa8237e4397ef644f7ac3c872d0c70d56a5afb75ee58c59da
                                                              • Opcode Fuzzy Hash: 91da5c4239701e76db5bf5be78033a8af31f2ceac36942981313d6393a33a172
                                                              • Instruction Fuzzy Hash: 1C31E0B0D01258DFDB20CFA9C989BCDBBB4BF08314F24845AE405BB250D7B55885CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075387DA Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac45b05dfb53509258eaef4ca62982189c47e7551c9c9ac81a6e1632b9fbe137
                                                              • Instruction ID: 53c2cc9e45827e051ebe2bbb6f9bccf88ffc79e316d540a33d64fcb3a991e5bb
                                                              • Opcode Fuzzy Hash: ac45b05dfb53509258eaef4ca62982189c47e7551c9c9ac81a6e1632b9fbe137
                                                              • Instruction Fuzzy Hash: 2C21D170B05241DFE71C8B15C9057B6B7A2FB82705F54C8ABF1154F2B2CA36E985C761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535AD8 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f68240611fc9eeee74afc0cc1804249f0dc58aa0f6335fc40f4448303b734e64
                                                              • Instruction ID: adbd7e80351a8bce319e8c3ac6bbc4733d801a97d68171505eca21056e65e198
                                                              • Opcode Fuzzy Hash: f68240611fc9eeee74afc0cc1804249f0dc58aa0f6335fc40f4448303b734e64
                                                              • Instruction Fuzzy Hash: 7D21CEB0C112589FDB20CFA9C998BCEBBF4BB08714F24845AE409BB290D7B55885CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535917 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63857fe28e3a787d8f47bdb84132cab31811892c2637c421305e1b7e56ab9c56
                                                              • Instruction ID: 3e7720569fb5a514d3ec40d403538e3f191e6bf7857fbd8333ffda8f9c6f4326
                                                              • Opcode Fuzzy Hash: 63857fe28e3a787d8f47bdb84132cab31811892c2637c421305e1b7e56ab9c56
                                                              • Instruction Fuzzy Hash: 5511E372B0031A5F8B11EB7998444BFBBFBEFC4260714892AE855D7341EB30CD0187A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E1D005 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1805595635.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e1d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5825c6d758e1d13bc63352b8c9e7ac253d9a083241403e4d83d42bb2068160f6
                                                              • Instruction ID: 22c56f20ab42a7dfb13f27a0e6bc4467c639958e5e63e1651520e10f5e8703ed
                                                              • Opcode Fuzzy Hash: 5825c6d758e1d13bc63352b8c9e7ac253d9a083241403e4d83d42bb2068160f6
                                                              • Instruction Fuzzy Hash: 1221837550D3808FC702CF24D994755BF71EB46318F28C5DAD8498F2A7C33A984ACB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07533848 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ce68bfc2745b3ac35e652f2811028556908b09df087daa4beed26b913b0e4a7
                                                              • Instruction ID: 6ba195ee9cdabd97a17307fb27a1f37e62fde66c19c790ea4efc7efc6463f3a3
                                                              • Opcode Fuzzy Hash: 3ce68bfc2745b3ac35e652f2811028556908b09df087daa4beed26b913b0e4a7
                                                              • Instruction Fuzzy Hash: A22190B4A11908DFD704DF5AE088999BFF1FF8C310F5280D5E4489B265DB31A9A5CB01
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753FBC8 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 538ea3667932a79627d80ab23da0a716c38e5ebe833fc290147e95cfbdddddc1
                                                              • Instruction ID: c8c939a53530c3229781a85e3eface6c62ea876a90ec0b0a67f1dabc1f470a66
                                                              • Opcode Fuzzy Hash: 538ea3667932a79627d80ab23da0a716c38e5ebe833fc290147e95cfbdddddc1
                                                              • Instruction Fuzzy Hash: 6911A3B0F4820D9FDB189E7998506BF7BA6FB84750F048D29E909DB3E0EA309D4087D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753C2B8 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 37861c21ba9ca8b5fafc6f9e0c949dfa378855235f722243749862081eec60fc
                                                              • Instruction ID: f75caa137ae91f2a7d9fec23a31c48b41b45a0df2fd3dbceebdd7cf73304f030
                                                              • Opcode Fuzzy Hash: 37861c21ba9ca8b5fafc6f9e0c949dfa378855235f722243749862081eec60fc
                                                              • Instruction Fuzzy Hash: 4021F7B1D016188BEB18CF9AD9557DEFFB6AFC9300F04C06AD408B62A4DB7509458FA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BD10 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2cd95ee9caf5c830331f029b3cb480d4bdc4135e71267965b5870ea01f0ca451
                                                              • Instruction ID: 04299b35c9f25c0dc109bc075ad1924145ca32ed61c655722da494f97138f968
                                                              • Opcode Fuzzy Hash: 2cd95ee9caf5c830331f029b3cb480d4bdc4135e71267965b5870ea01f0ca451
                                                              • Instruction Fuzzy Hash: 0B21B2F4E15209DFCB80CFA9C181AEEBBF5BB4A300F609859D809A7765D7709A40CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753E860 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7bc3c0e373c0b5f785300fb0cf415d6052b44894787eb14df9c5335b15b2055
                                                              • Instruction ID: 5616258d0e069240e7b0426334ff1baf98dadadbbc69cf8b6ae76a0042d7bb46
                                                              • Opcode Fuzzy Hash: c7bc3c0e373c0b5f785300fb0cf415d6052b44894787eb14df9c5335b15b2055
                                                              • Instruction Fuzzy Hash: 6321FA74A14209CFC700DF99E59A5ACBBF5FB49304B149665E40A9B3AADB345C45CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BE88 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2ccb58deabf7f25530f308ab4f18a846b60cf499376f7aeae338d818e35e94d
                                                              • Instruction ID: 03c5825bc6baf5cf7efb14234265abf203f556849685fe9a257e0033a9814506
                                                              • Opcode Fuzzy Hash: d2ccb58deabf7f25530f308ab4f18a846b60cf499376f7aeae338d818e35e94d
                                                              • Instruction Fuzzy Hash: 3A111FB4E09208DFCB05CFA9D4449EDBBB5FF4A310F00D69AE80897321D7319A45DB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075361DC Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a7567c57bcd42c84826ed5bf349eb8ba9cb11344b353e67dbdf6c8c59990bc1
                                                              • Instruction ID: 386a81c203a259206b58012ca30becee9847818322d49cb90e114b755ae9debe
                                                              • Opcode Fuzzy Hash: 3a7567c57bcd42c84826ed5bf349eb8ba9cb11344b353e67dbdf6c8c59990bc1
                                                              • Instruction Fuzzy Hash: 182127B58043499FCB10CF9AD884ADEBFF4FB49310F14841AE958A7211D378A544CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E0D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1805520308.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e0d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                              • Instruction ID: 11ccf721b183ea25ae79bf024e65870d30a7539c6f012213c827c6b192f4f20b
                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                              • Instruction Fuzzy Hash: F2110372404280CFCB02CF54D9C4B16BF71FB98328F24C6A9DC091B296C336D85ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075361E4 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: adcaa59b922e2ea5d213dc7e1e11aa6613284007b061f72e374115aa9aed067c
                                                              • Instruction ID: 7e2a53fe1b97383a619a4904331f5b0762fae78e1ed30a2d9dfd9317c16ae701
                                                              • Opcode Fuzzy Hash: adcaa59b922e2ea5d213dc7e1e11aa6613284007b061f72e374115aa9aed067c
                                                              • Instruction Fuzzy Hash: 6C21D3B5D0434D9FCB10DF9AD884ADEBBF4FB49320F14841AE919A7210C379A954CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BDF8 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ec4e177c97e0bbb564a939f2ff263890f8379ba30c85e9cdc3983d41de863ca
                                                              • Instruction ID: f13042ce759757505763a0471cb575a4c56baabeb91ea6e3346b4dd4c53d865c
                                                              • Opcode Fuzzy Hash: 7ec4e177c97e0bbb564a939f2ff263890f8379ba30c85e9cdc3983d41de863ca
                                                              • Instruction Fuzzy Hash: FD110AB0E19208DFCB04DFA9D581AEDBBF5FF4A310F11969AD418A7226D3309A45DB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E1D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1805595635.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e1d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                              • Instruction ID: a86d3681f018002109fd5a0f7730aefa8e05aa1bee66a596bc9d1b48906352c9
                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                              • Instruction Fuzzy Hash: C211BB75508280DFCB02CF54C9C4B55BBA1FB84318F24C6AAD8494B6A6C33AD89ACB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753C2C8 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 607f002b8ffaced1853bac5254d923944bef6d12aaaef0fa8f7f51a9733fdb07
                                                              • Instruction ID: 3f3dc603d4c0ecf3c5d9fa0a9cbaeb52450d8bac3f409d023d510c70c9f4ba60
                                                              • Opcode Fuzzy Hash: 607f002b8ffaced1853bac5254d923944bef6d12aaaef0fa8f7f51a9733fdb07
                                                              • Instruction Fuzzy Hash: 0911B2B1D006188BEB18CF9BD8457DEFAF6AFC8300F14C06AD409762A4DB7509458FA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753E963 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74943796c6da23952cec5cf304b25991fbd7c7437535419b56d15f55cc77284a
                                                              • Instruction ID: e330af68a61b31b704e66ec1bc7a83d67f16e986d5cb15e576cef4789a765329
                                                              • Opcode Fuzzy Hash: 74943796c6da23952cec5cf304b25991fbd7c7437535419b56d15f55cc77284a
                                                              • Instruction Fuzzy Hash: BA212C74A14209CFC700DF99E59A6ADBFF5FB49304F149665E4199B3A6DB345C40CF80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753EAD4 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60708d7cda1206f44bf3eb1085e4daf8c530977266b61eadc00d2672f6853894
                                                              • Instruction ID: 6868e200c791e052197ef9142610fd7df9470eeaebe3e848175f673c57be892e
                                                              • Opcode Fuzzy Hash: 60708d7cda1206f44bf3eb1085e4daf8c530977266b61eadc00d2672f6853894
                                                              • Instruction Fuzzy Hash: 512108B4A21218CFDB50DF64E98ABAABBB6FF84200F518595E009A7394DF305D85CF10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753D140 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 197ded30b46a6b608f92ae4bdc8a96945484aec0f8c6ff8eacebfbae51ac253d
                                                              • Instruction ID: c352e5561c209d9d2985c797463f347cb1ed1885058c5e6cdaa680ed8845a88c
                                                              • Opcode Fuzzy Hash: 197ded30b46a6b608f92ae4bdc8a96945484aec0f8c6ff8eacebfbae51ac253d
                                                              • Instruction Fuzzy Hash: 14014075618244DFC701DBA4D689AE9BFF5EF4B310F1981C5E4499B2A2C7319E01DB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BE08 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29d9c0a7c0a6482bb1a1f46081721622e637a41c3429acabee685a72046840e3
                                                              • Instruction ID: 5197813814f1128f8e76ea3c6da94d26d31eb270f4b7f8d8502f5fd252444d10
                                                              • Opcode Fuzzy Hash: 29d9c0a7c0a6482bb1a1f46081721622e637a41c3429acabee685a72046840e3
                                                              • Instruction Fuzzy Hash: BB11B7B4E09209DFCB04DFA9C581AEDBBF5FB49310F1096A9D518A7325D7709A419B80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753FE59 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4606d8a08cd3e4a5fe40d5fdc7d30d73bc9db8b07e040037ca0a98ffacc1c07b
                                                              • Instruction ID: f01634654d49cce851500fd34f32b43f30d5036629e70856d9f6b145190e8a3f
                                                              • Opcode Fuzzy Hash: 4606d8a08cd3e4a5fe40d5fdc7d30d73bc9db8b07e040037ca0a98ffacc1c07b
                                                              • Instruction Fuzzy Hash: B301F272F001058FCB44DF6CD9C08AE7BE2BBC8214714842AE505D77A9CB31ED069B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075318B9 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04752ec562daf363955222fc2afd3534883a8b19f2c275180802ab483a751db8
                                                              • Instruction ID: 258c3c7853fcd0da7489f20bb742ad7cc96916bcaf76130597d5b37412da1632
                                                              • Opcode Fuzzy Hash: 04752ec562daf363955222fc2afd3534883a8b19f2c275180802ab483a751db8
                                                              • Instruction Fuzzy Hash: 80118074A00248AFCB05DFB9D985A9DFFF5EF09310F14C1D5E4449B3A2DA319A41CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07536120 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65f0b277e9cc429bccb17ded26f3cc931e7ffab2571430fd4e9e0b126066f1cf
                                                              • Instruction ID: 956a03bcfa2b27f5c991d1cd14dff4e5d12359089d18a8425f6dac2ce69c5600
                                                              • Opcode Fuzzy Hash: 65f0b277e9cc429bccb17ded26f3cc931e7ffab2571430fd4e9e0b126066f1cf
                                                              • Instruction Fuzzy Hash: AB01C48245EBE11EE303BBBC99713D57F209F53215F0A00E7D0C48A4B7D548849D83BA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E0D745 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1805520308.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e0d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e92136b1d01f381cbf3267322127e97cbcc49faa608adc11732fd93e421c3db
                                                              • Instruction ID: 39f3ff463de8d28ee247adf7c5829b8dcb96733a637474f3047f5d4c79e3eb09
                                                              • Opcode Fuzzy Hash: 8e92136b1d01f381cbf3267322127e97cbcc49faa608adc11732fd93e421c3db
                                                              • Instruction Fuzzy Hash: ED01A77100C3409AE7109EA9CD84BA7BF98DF41328F1CC52BED095A2C6D6799880C771
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753DF72 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bfd5152816fedadc32662fe13fe8658125e12f0471110976ee76fe229680cf62
                                                              • Instruction ID: eed4051acb17e3bbb56c370a05d336826453a436658a506bcc918d205ee024ad
                                                              • Opcode Fuzzy Hash: bfd5152816fedadc32662fe13fe8658125e12f0471110976ee76fe229680cf62
                                                              • Instruction Fuzzy Hash: D511A1B4A052499FCB01DFA8D4809EEBFF0FF0A311F248196E850A7391C6349B41DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535839 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e430738721270dd8617770d38f2fd38e9abe1906772035762dd8f60d44b6a270
                                                              • Instruction ID: bad6cc28993f434950fb740871352cdb4309e5bf498e3db6466b3c8b56e33301
                                                              • Opcode Fuzzy Hash: e430738721270dd8617770d38f2fd38e9abe1906772035762dd8f60d44b6a270
                                                              • Instruction Fuzzy Hash: E9018172F0521A8BDB14EFB8A9015EEFBB0FF89355F10407AC504E6210E7358626CBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753C469 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7426d345af79552102752d34238c8f06a8bcd1ed0cdcca3e0a955a203ec044ff
                                                              • Instruction ID: f028ac66aadde88bd67aea9a71756a49a7191179f5e5de26d50e63cd85e8a24a
                                                              • Opcode Fuzzy Hash: 7426d345af79552102752d34238c8f06a8bcd1ed0cdcca3e0a955a203ec044ff
                                                              • Instruction Fuzzy Hash: B1118378911269CFDB65CF64D944FA8BBB1BF0A201F1041D6E809B73A1DB319E81CF20
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075303C0 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0c65b539e06a71b965bcbd395986142c73f167d51f9b93c38d380d15fb0195b3
                                                              • Instruction ID: 0f87651c0a091bec8167828e8af92d4f7cd52b5d4b86b19285e75c8721c322cb
                                                              • Opcode Fuzzy Hash: 0c65b539e06a71b965bcbd395986142c73f167d51f9b93c38d380d15fb0195b3
                                                              • Instruction Fuzzy Hash: 8B119274E01258CFCB65CFA9D680A9CBBF2BB48310F1484A9E509A7365DB359A80CF00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753D0C7 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1996ae3424b68e95b330dd3106c1bebdb178ea78ae71eac9974f79a129fbc62
                                                              • Instruction ID: cc464cc68d5eb18ed3e7f9a22bb55cf7edc526e2a260b3f1d4fe77ad485a280b
                                                              • Opcode Fuzzy Hash: a1996ae3424b68e95b330dd3106c1bebdb178ea78ae71eac9974f79a129fbc62
                                                              • Instruction Fuzzy Hash: F70128B0A5D348DBC704CBA5D9499F9BBB8BF4A301F14A5A6D4099B262D7308A45DB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753D150 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b545139eb79eb271a6ea8aeeb8b909e1408f6a0d859c5ad94640e84569336190
                                                              • Instruction ID: 333fe673db0d23b025079f75535786d57dc1d1af89725ec2c685029182ac9eb7
                                                              • Opcode Fuzzy Hash: b545139eb79eb271a6ea8aeeb8b909e1408f6a0d859c5ad94640e84569336190
                                                              • Instruction Fuzzy Hash: 4901EC74A14208DFC704DFB8D689AA9BBF5BF4A300F15D494E4099B361DB309E00DB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753D0D8 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6b0e97f145f799be78ca8ac4f688fb35c53f9e2e3463bd0ee8cfbced32cf784
                                                              • Instruction ID: 9bcabed176ab93c32e584fb83cd9110b2c5e203c5327795ad59335401fb1594a
                                                              • Opcode Fuzzy Hash: f6b0e97f145f799be78ca8ac4f688fb35c53f9e2e3463bd0ee8cfbced32cf784
                                                              • Instruction Fuzzy Hash: DCF03CB0A19308DBCB04DFA9D5459F9BBBDBF8A300F10A5A5E4095B261DB309A45DB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753DF80 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60975e3d07426c73de6fd151f673360e21a6873795f2d5eec71197779d261921
                                                              • Instruction ID: 73663f2a4a4879d9a1cb6b932aa0e481672807c138e9ee79fa78b4d5f90e6a1e
                                                              • Opcode Fuzzy Hash: 60975e3d07426c73de6fd151f673360e21a6873795f2d5eec71197779d261921
                                                              • Instruction Fuzzy Hash: 6401E9B4E012499FCB40DFA8D5859AEBFF4BF48300F208196E854E7351D6349B40CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075372E0 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29ce6906dbdff0d99304d4ebdabe5af0edc622a472d63ccff19b47d6c06b216f
                                                              • Instruction ID: fd01dd09b0de9c3bda8d0d983a56c862d547f85edaed649464f026c8f7957097
                                                              • Opcode Fuzzy Hash: 29ce6906dbdff0d99304d4ebdabe5af0edc622a472d63ccff19b47d6c06b216f
                                                              • Instruction Fuzzy Hash: 73F0B4726041057FDB09CB98DC418EA7FBAEF45220B0481ABF404C7222D631D900C7A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E0D744 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1805520308.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e0d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d39cc17ae7ec9293dcc7610166e586138e8c40ed061f560e7aa3d6a13fdb7126
                                                              • Instruction ID: 6ad33b026db9c0993c640dd72cab75312c504979c5c1ee416635ce9e415d6e5f
                                                              • Opcode Fuzzy Hash: d39cc17ae7ec9293dcc7610166e586138e8c40ed061f560e7aa3d6a13fdb7126
                                                              • Instruction Fuzzy Hash: 0FF068714083449AE7108E59CD88B62FF98EB91734F18C45BED085A2C6C2799844CB71
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535E8D Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0fead71098d247ed9b1ebe4ae50ae04ca2c6837ef154a82f3b2476a18ae65a13
                                                              • Instruction ID: 4b0b7c6a56b0c188ab3e983246df0cc594c7e3b29ce7e407985a997cac297d8a
                                                              • Opcode Fuzzy Hash: 0fead71098d247ed9b1ebe4ae50ae04ca2c6837ef154a82f3b2476a18ae65a13
                                                              • Instruction Fuzzy Hash: 6A0121B1904219DEDB14CFA5C5043ED7FF1FF08314F25865AE824AA1A0D7744A54DFD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753EA11 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 636fad27d6b79c6485a8236e06642fb5c009ddc7ddb45aac6c6ffb48ccc6a468
                                                              • Instruction ID: 1ac5bd961ce83b489b9ed07135022cde3f1356d2b3c70981ab431d6b491d7fe0
                                                              • Opcode Fuzzy Hash: 636fad27d6b79c6485a8236e06642fb5c009ddc7ddb45aac6c6ffb48ccc6a468
                                                              • Instruction Fuzzy Hash: 36010C78A64208CFCB10DFA4E68A59DBFBAFF89305B218529E405A7395DF705845CF00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535F28 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 77fdedf082cd107eabdd77018a82185a446379088c52d1551953b464293b3f0a
                                                              • Instruction ID: 76f1ae90e288a86275ebd0060034cf9eb0a4503339c9ec81eb12482d4e5d17b5
                                                              • Opcode Fuzzy Hash: 77fdedf082cd107eabdd77018a82185a446379088c52d1551953b464293b3f0a
                                                              • Instruction Fuzzy Hash: 3CF082B6B042545FD304CB7DDC88A6BBBE9EF88224315806AE548DB352DA308C0587A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535E98 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 06994c03d0cb3990387a7cd4b1c43e98ff09fe029c156a487422f83785f076c5
                                                              • Instruction ID: 0be43ba9d09c063721b1fd605a824dc99d1f5323bb83d74bf043ae9219622475
                                                              • Opcode Fuzzy Hash: 06994c03d0cb3990387a7cd4b1c43e98ff09fe029c156a487422f83785f076c5
                                                              • Instruction Fuzzy Hash: F201ECB0804219DFDB14CF69C4043EEBBF1BF44350F21866AE824AA2A0E7744A54DFD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753ABD2 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0adba2b44cb6a0f62c99d70664b342536c121cbccc6f8efeba56a3c4f8d595c9
                                                              • Instruction ID: 3dc46de2cec45085bed83c9ec51c0def9bf3bd1f6bbb8b901618abfcbea16397
                                                              • Opcode Fuzzy Hash: 0adba2b44cb6a0f62c99d70664b342536c121cbccc6f8efeba56a3c4f8d595c9
                                                              • Instruction Fuzzy Hash: AAF030B4A5A509CFDB04CA94D9945FCB77AFB8A305F00E9A5E04D97175DB305A88CB01
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075318C8 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89041ebdc33b264a8d4792fbf046ab342339dff370cb5733a075149112a707bb
                                                              • Instruction ID: 078a6ba3349eb583aaf780a9b7ad561632d97a07ce4010bb226e74f0c04cbfd5
                                                              • Opcode Fuzzy Hash: 89041ebdc33b264a8d4792fbf046ab342339dff370cb5733a075149112a707bb
                                                              • Instruction Fuzzy Hash: A8016278A00208AFDB44DFA9D589A9DFFF5EF48310F15C0A5E808AB365DA309A40DF41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535F38 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa48d1396951594ee43b43e08ffb4ed20a33c2ba1d1e8dd34c16eaa35e9a4b96
                                                              • Instruction ID: 17187e955df90af8676fd739446525fcb859c31f3d75c04fe0bccc60219e8f5f
                                                              • Opcode Fuzzy Hash: aa48d1396951594ee43b43e08ffb4ed20a33c2ba1d1e8dd34c16eaa35e9a4b96
                                                              • Instruction Fuzzy Hash: ABE039727041286F93049AAED884D6BBBEEEBCC660311807AF508C7311DA319C0086A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753FB58 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e8660989f0fb8ca6c241ba865e06e6a49779f8bf1f1d3a5e6e0266e0c36a67b
                                                              • Instruction ID: 106703eca7f239cab11456f6c1b9a794bc87c52a237983ede057626d4c278880
                                                              • Opcode Fuzzy Hash: 2e8660989f0fb8ca6c241ba865e06e6a49779f8bf1f1d3a5e6e0266e0c36a67b
                                                              • Instruction Fuzzy Hash: 6DF0E270A0424DAFCF11CFA4E9056DDBFF1EF46321F1081C6F854AB2A2D6350A42DB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075372F0 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef4bb0bd581c9fc1b2e27d6722529226514c640cd08f16c1dc23188d2cf0d85d
                                                              • Instruction ID: 98d7436537bacfae935ff4e8b9184bf084a61693bb0e879b9733b584c04591e5
                                                              • Opcode Fuzzy Hash: ef4bb0bd581c9fc1b2e27d6722529226514c640cd08f16c1dc23188d2cf0d85d
                                                              • Instruction Fuzzy Hash: C8F06572600109BF9F08DF98D841DDEBFEAEF48214B14817AE408D7321E631E9509B94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BB0F Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 62e0c60120a62ce178431e31446d052f2259ca6d70d958ea96c74508bb1d101b
                                                              • Instruction ID: b561d0cdadaabd307cda2a428fddf8a1ea1171723ed64e8cd6112944462d4834
                                                              • Opcode Fuzzy Hash: 62e0c60120a62ce178431e31446d052f2259ca6d70d958ea96c74508bb1d101b
                                                              • Instruction Fuzzy Hash: E0E09A7124A2849FC30696A4F5261EA3F60EB43226F2441CAE488465A28A370A56C692
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BE98 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d41ebf44a5f6c52e9ce7d9feb10151c8c56f8e59837aba256cc0f8e0b006589d
                                                              • Instruction ID: 8fa556502a48b4c2c54f7a197f2f7a28a935895e8cde00e971de2deda99c44d1
                                                              • Opcode Fuzzy Hash: d41ebf44a5f6c52e9ce7d9feb10151c8c56f8e59837aba256cc0f8e0b006589d
                                                              • Instruction Fuzzy Hash: 3CF0A5B4E05208EFCB14DFA8E5459ADBBB5FB49301F1081A9E84493350D7359A50EF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753FB68 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 893a59f712c60ecb8a5b7317ba2b6d49475a98bacfaba0d91f119f9ac2e0c65b
                                                              • Instruction ID: 27877fbcd1a53ae56f4fffd92c38fe2c4fc506daf5d54b77332321e372e5010c
                                                              • Opcode Fuzzy Hash: 893a59f712c60ecb8a5b7317ba2b6d49475a98bacfaba0d91f119f9ac2e0c65b
                                                              • Instruction Fuzzy Hash: AEF0C974E1020CEFCB54EFA8E95569DBBF5EF88311F10C0AAE814A7390DA345A50DF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535F81 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: afe482e25179967c025f97bef03ef6b5234362682048c9c6f3b8b9a09c19eab5
                                                              • Instruction ID: 07c76a7fd7e4213dd485a3b7640a42a4699eacf3d4324720b6a52fbe96ef30cd
                                                              • Opcode Fuzzy Hash: afe482e25179967c025f97bef03ef6b5234362682048c9c6f3b8b9a09c19eab5
                                                              • Instruction Fuzzy Hash: 76E086BB700610AFC7059B48E915E487BA5DF99221B158466F249C73B1DA70DC028B54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535F90 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b111e1a36b9ed2393f795d3ede7e07dd67961d154d3c26087fc851348a5aa748
                                                              • Instruction ID: c0c843213d10b26bd2b8ed7b1035fa3b7701b2a5c974c13113faf9feee8a4403
                                                              • Opcode Fuzzy Hash: b111e1a36b9ed2393f795d3ede7e07dd67961d154d3c26087fc851348a5aa748
                                                              • Instruction Fuzzy Hash: A9D01236300514AFC3149A4AE808D46BBA9DFD9721B158066F609C7360CA71EC01C794
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753C491 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a760100621a1537b937a4832a6c8a527cb218868ea3f8dcc42e6302342b17de4
                                                              • Instruction ID: 9bc948797d3a2c57c90695c0b8ed8d6b898d47ea96e7d7af87e5bfd796c43e03
                                                              • Opcode Fuzzy Hash: a760100621a1537b937a4832a6c8a527cb218868ea3f8dcc42e6302342b17de4
                                                              • Instruction Fuzzy Hash: 6EE08C35A19200CFC7008BA4E84C8E8BB34FF86252B4054E7E81AAE1A2CB314911CF70
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075308DC Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d82a84af0caaee3728b905c76e98ceb4fae0b66edd9f681d11e05b8261baf33
                                                              • Instruction ID: e666dc1fbcf8bd9c0d7c52032fb2f817a6b0cd15c338b883aa3bd25aabb356a8
                                                              • Opcode Fuzzy Hash: 7d82a84af0caaee3728b905c76e98ceb4fae0b66edd9f681d11e05b8261baf33
                                                              • Instruction Fuzzy Hash: 2CE086B4525344CFC718CF60D1458A8BF72FF45701B105899E00BDB6B4C735D881CE54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753BB20 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 375d4a2c7fa802a62c1c68737c24c6bedec040df9b7765d80a440de3311aec7b
                                                              • Instruction ID: 7667871f39922819bb14d22e181f0c95cb920a4ef9113f0d09b42d5eb910010c
                                                              • Opcode Fuzzy Hash: 375d4a2c7fa802a62c1c68737c24c6bedec040df9b7765d80a440de3311aec7b
                                                              • Instruction Fuzzy Hash: F4D017B0901208DBCB14EFA4E54959DBFB4BF42306FA082A9E80823290CF315E84DB85
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07530864 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a68f844b8701f9598e18bc7b49d616b9f901e22460a136bf61b46ca3c6b29f47
                                                              • Instruction ID: cfb5427b23d07cd988da6fa48f1950fbe5e541937b8bf96f65b7dae458120c02
                                                              • Opcode Fuzzy Hash: a68f844b8701f9598e18bc7b49d616b9f901e22460a136bf61b46ca3c6b29f47
                                                              • Instruction Fuzzy Hash: 9DE08C70921304CFCB54DFA0D449599BB71FF44341B1044A5E81ADF2A8C7368981CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753A998 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e24c8955eefc5e335a9b0c4123916c5f1b082effceee35a67e9850e5e983e70
                                                              • Instruction ID: c8c31c87c279c7856e3261ca23b69e92f4fcfede7ee47e48f56a230186009cfa
                                                              • Opcode Fuzzy Hash: 2e24c8955eefc5e335a9b0c4123916c5f1b082effceee35a67e9850e5e983e70
                                                              • Instruction Fuzzy Hash: A4C08C7011130987C2142BA4FA0E3643FA8AF40202F54C012F188004B08E604040C6A7
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535810 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05e05f7930f9c6fb26f1d966389146a171e645e3229a90c086d7dca4eb4ee816
                                                              • Instruction ID: 072ef3dfcb03279cc813d5bff03c73dd8f70d5dbc88c41dca2b07b5c15f13521
                                                              • Opcode Fuzzy Hash: 05e05f7930f9c6fb26f1d966389146a171e645e3229a90c086d7dca4eb4ee816
                                                              • Instruction Fuzzy Hash: C3C08CB70BC4821AE3017720CC276806F60FB52209B1940538464C8072E06C407C9A22
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753EB7B Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bec9fb5c556ea2cb4bda84a0cdcb5eff793df76ee24d7e1bed7e76f870c506f6
                                                              • Instruction ID: 6520b168f29e91b0a50b33852acad5c8b734469efb2c6d9762754bf4c227bb5b
                                                              • Opcode Fuzzy Hash: bec9fb5c556ea2cb4bda84a0cdcb5eff793df76ee24d7e1bed7e76f870c506f6
                                                              • Instruction Fuzzy Hash: F2C01270A2010A8FCB00EF54D285298BBB9AB59204B109A1090258239ACF7488469F21
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07530BF8 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9c6042640e2b67b92bb708c8d6e238b2f5e3e4984f0681deb0caf4bf530e8b6
                                                              • Instruction ID: 78bf3ad7587ed64e3699eebcd65c2e11091c3a3e1e1d1b69d5ebc99197974deb
                                                              • Opcode Fuzzy Hash: c9c6042640e2b67b92bb708c8d6e238b2f5e3e4984f0681deb0caf4bf530e8b6
                                                              • Instruction Fuzzy Hash: 4BC01230826A898BD708CA90C58A0ADBB72FF8A300B208814C006EA1A8D6346541CA10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753618C Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: debccd342127789ffb062463cbe759651a2ef99a228f3debb89633a72de7180e
                                                              • Instruction ID: 53fccd8ca717c041bcf6fe6f18543159b26242e75afcb66a78775d652a10ac49
                                                              • Opcode Fuzzy Hash: debccd342127789ffb062463cbe759651a2ef99a228f3debb89633a72de7180e
                                                              • Instruction Fuzzy Hash: 00B012E55E4502F3A50123644D84C7BDE00FFF6B10F00CC157709510748522C465F23B
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753B558 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 653cf289eba1770fbe85e861aec51e88a8a0d925ae2cfa7547a8ecd9bbba7023
                                                              • Instruction ID: eebbc812d312592764208fbfff99f7fa7eab890dcb29faa31064c9e69e65d43e
                                                              • Opcode Fuzzy Hash: 653cf289eba1770fbe85e861aec51e88a8a0d925ae2cfa7547a8ecd9bbba7023
                                                              • Instruction Fuzzy Hash: CDB012B855F608CBD6004A44C8F40F036F8FB06A2035C81C0C8682F7529272C500DF80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 07538378 Relevance: 4.0, Strings: 3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: T+-q$[V~*$]\`
                                                              • API String ID: 0-3978741314
                                                              • Opcode ID: 7d5a981c1da3e3f4b729768a44ad41ee1981ba4fff03e40693982fb77b648364
                                                              • Instruction ID: d8c3d176627b7cf0d08bddfb331afe975fb41ec57088cf3fea20c2d2f13b59fa
                                                              • Opcode Fuzzy Hash: 7d5a981c1da3e3f4b729768a44ad41ee1981ba4fff03e40693982fb77b648364
                                                              • Instruction Fuzzy Hash: E1B1C8B4E156199FDB08CFEAD5808DEFBF2BF89300F14D526E415AB264D730A9418F64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D58B0 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PH^q$PH^q
                                                              • API String ID: 0-1598597984
                                                              • Opcode ID: d8a54d71502190333b78c893eccfd54cb44d25286ee68437152468b48870c185
                                                              • Instruction ID: de9c355135424a139e54f476c2378c14731ba5ecbf90d34c77260c378a369b35
                                                              • Opcode Fuzzy Hash: d8a54d71502190333b78c893eccfd54cb44d25286ee68437152468b48870c185
                                                              • Instruction Fuzzy Hash: E7D1C374A00605CFDB18DF69C598AE9B7F1BF89701F2580A9E406AB371DB31AD45CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07531E3A Relevance: 2.6, Strings: 2, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Kk$Z;ya
                                                              • API String ID: 0-687208382
                                                              • Opcode ID: 8a1996d3ec95dcb455ccd032c31c08fe0942152221301d626347173bfb392372
                                                              • Instruction ID: 4bb3f70dc5c450a51954ea2925dbf7e326ec71a02bb5f62637bf10a2cddb6a39
                                                              • Opcode Fuzzy Hash: 8a1996d3ec95dcb455ccd032c31c08fe0942152221301d626347173bfb392372
                                                              • Instruction Fuzzy Hash: 10415EB0D05A0EDBCB05CBA5D5814EEFFB2FF89340F24C999C405A7265D7349A41DB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D1490 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ]f
                                                              • API String ID: 0-2286122321
                                                              • Opcode ID: ddc0b483e2270fc982b4493808f262db54b5e0c6062c748d1c47fb00f70c423c
                                                              • Instruction ID: 932b063d9586a901ac980639dbeb464d5a6d10f6cf94698f7bfd1f2b81d818d9
                                                              • Opcode Fuzzy Hash: ddc0b483e2270fc982b4493808f262db54b5e0c6062c748d1c47fb00f70c423c
                                                              • Instruction Fuzzy Hash: B0E1FAB4E005198FDB14DFA9C5809AEFBF2BF89304F249169E419AB356DB30AD41CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D0AE0 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe60d585f81f98f6818e00b0a1124d0f0820150763039832fdb4fc6b50eb5d5b
                                                              • Instruction ID: b0539ab5136c8ae0aef43ad50ba7311770bbb487b468e2e3282c2c491fb822ad
                                                              • Opcode Fuzzy Hash: fe60d585f81f98f6818e00b0a1124d0f0820150763039832fdb4fc6b50eb5d5b
                                                              • Instruction Fuzzy Hash: 2CE1D7B4E001198FDB14DFA9C5809AEFBF2BF89304F249169D419AB396DB30AD41CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753F730 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70476d618a3b2eae5ea4764a9ca397b5035958f2f85da259aff7f4ec53f46f3a
                                                              • Instruction ID: d946381a2be691171d688a396d219114d486d100e50b2259f5dfc87623262a7b
                                                              • Opcode Fuzzy Hash: 70476d618a3b2eae5ea4764a9ca397b5035958f2f85da259aff7f4ec53f46f3a
                                                              • Instruction Fuzzy Hash: 44E1ECB4E001198FDB14DFA9C5809AEFBF2BF89304F249169D418A7396DB30AD41CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753EEC0 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15e157baecca79f1b5d9d036ca58a661ad26c1b2036d028f08b56b608fd649ea
                                                              • Instruction ID: e248531608cda74256f88c394746f5a8aeeb56c9e485c75bfdf06dae49c842f7
                                                              • Opcode Fuzzy Hash: 15e157baecca79f1b5d9d036ca58a661ad26c1b2036d028f08b56b608fd649ea
                                                              • Instruction Fuzzy Hash: BCE1FCB4E001198FDB14DFA9C5809AEFBF2BF89304F249169E419AB356DB35AD41CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753F2F8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3fc97eabb2b795cb76fb9a4e20932ecea8a5a62f0935d46280103c891e746945
                                                              • Instruction ID: 5d5b906157a59dd8bbe1db6eee740a73f5008512e663d5a17a1122722e81b767
                                                              • Opcode Fuzzy Hash: 3fc97eabb2b795cb76fb9a4e20932ecea8a5a62f0935d46280103c891e746945
                                                              • Instruction Fuzzy Hash: CCE1EBB4E001198FDB14DFA9D5809AEFBF2BF89304F249169E418A7396DB35AD41CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075368AA Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99c20654c298c667af68ff20514ed3b4042daf695f40eebdf24aa6828336ac30
                                                              • Instruction ID: 77b4b38866edbbd82ed69350dfa4d9537b2f557fb2e30467be4c421106469a9d
                                                              • Opcode Fuzzy Hash: 99c20654c298c667af68ff20514ed3b4042daf695f40eebdf24aa6828336ac30
                                                              • Instruction Fuzzy Hash: 55D1F53192075A8ACB00EBA4D991A9DF7B1FF95300F10C79AE04937665FB706AC9CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0107DDCC Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1806079694.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1070000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5aeaac1f650aeb70e03e6dee22ab9ecf51cbeaad3dd7e373fe258d75cb89a0d
                                                              • Instruction ID: d725407250a6a97fae17479a62c14f86961dbf245acec8c2efdbb00165deea34
                                                              • Opcode Fuzzy Hash: b5aeaac1f650aeb70e03e6dee22ab9ecf51cbeaad3dd7e373fe258d75cb89a0d
                                                              • Instruction Fuzzy Hash: AFA16032E002068FCF16DFB8C8805DEBBF2FF98300B1545AAE955AB265DB71E955CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075368B8 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 297f69bd72c955154fb1c3db13d30ac5662b4f7de553858120067fc8bd5ddca9
                                                              • Instruction ID: 32fbb8179a39afc9e25fefa8ef965c6df9b2ced58fe6cf2552076acdcf3800b6
                                                              • Opcode Fuzzy Hash: 297f69bd72c955154fb1c3db13d30ac5662b4f7de553858120067fc8bd5ddca9
                                                              • Instruction Fuzzy Hash: 7ED1053192075A8ACB00EBA4D991A9DF7B1FF95300F10C79AE04937665FB706AC9CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07532030 Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe26e1f9c10106e31071806bb635118e900b6119d882453a200f423f7951780
                                                              • Instruction ID: a15b15e601999ca9f91ea3fe0abd28c88a9aaa31e716461be0ad72e5d9aa8f9d
                                                              • Opcode Fuzzy Hash: abe26e1f9c10106e31071806bb635118e900b6119d882453a200f423f7951780
                                                              • Instruction Fuzzy Hash: 9A81FFB4E14619CFCB44CFA9C98899EFBF2FF89250F14955AE415AB324D330AA46CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07532020 Relevance: .2, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a103f7f3d5adc10af50c4051fac595b956df71268c29fbe028bf91b88f1d1304
                                                              • Instruction ID: f1dc7b126a530b23bb6dd3e7d480a29fbe78be172dadd1da7957f6b21f4e1561
                                                              • Opcode Fuzzy Hash: a103f7f3d5adc10af50c4051fac595b956df71268c29fbe028bf91b88f1d1304
                                                              • Instruction Fuzzy Hash: A581E174E10619CFCB44CFA9C98899EBBF2FF89250F14956AE415EB325D330AA46CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07533491 Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2775c404558b8cf95aebd7ec9211c41f3a31a851dd6a294a20b88ea33ce2956b
                                                              • Instruction ID: 6593a74b580c2028a7fc1afe408c2c1f9d425852c2bf3194182bafa25af5129c
                                                              • Opcode Fuzzy Hash: 2775c404558b8cf95aebd7ec9211c41f3a31a851dd6a294a20b88ea33ce2956b
                                                              • Instruction Fuzzy Hash: 3861D5B4A26609EFD705CF51F58A099BFB1FF8A301F20D895C085972A8DB398769DB04
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07532ED8 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05fc840a8e2d5003ec6551fee720bdeb38480d219a387f430dbad39ab5b922cc
                                                              • Instruction ID: a5fcea421f50c48dc2f995fe71c629a263ca25af44cd90288db8975869c36223
                                                              • Opcode Fuzzy Hash: 05fc840a8e2d5003ec6551fee720bdeb38480d219a387f430dbad39ab5b922cc
                                                              • Instruction Fuzzy Hash: 255128B1E1560ADFCB04CFA9C5825EEFBB2BF89300F14C466D515A7250D734AA42CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07532EE8 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39de117254c254c163df35e57c97575dc8e0dbc19bf77436cdb8237d82f61955
                                                              • Instruction ID: c857f6ed6d04d354777ab2e4b1fb15b45111b0bd9193f9bc50ca59ea0d19f28a
                                                              • Opcode Fuzzy Hash: 39de117254c254c163df35e57c97575dc8e0dbc19bf77436cdb8237d82f61955
                                                              • Instruction Fuzzy Hash: 956107B0E1560ADFCB04CFAAC5815EEFBB6BF89300F14845AD525AB250D7349A42CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07535150 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a01265ddb010626ff72a09999a250df2cf9e80d5c417a0129205af900311e1e9
                                                              • Instruction ID: 96694f3d7ec82f075ee811f84291b8f249515213b46dcc3f99a3ee09f36f8b54
                                                              • Opcode Fuzzy Hash: a01265ddb010626ff72a09999a250df2cf9e80d5c417a0129205af900311e1e9
                                                              • Instruction Fuzzy Hash: 0A512AB4E1520ADFDB44CFA6D4455EEFBB2BF89310F10A42AE401E7364E7745A518F90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 075D0ACF Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812293767.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_75d0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7baee0a9eb4087d5554304fe43394da8a604f1cc2fe82b52dbec7a8003ecfb0
                                                              • Instruction ID: 90355fb817d2b802e54bde2c7448bb6e735f972105ada280cedf9847716a2e03
                                                              • Opcode Fuzzy Hash: b7baee0a9eb4087d5554304fe43394da8a604f1cc2fe82b52dbec7a8003ecfb0
                                                              • Instruction Fuzzy Hash: B1511AB4E042198FDB14DFA9C5805EEFBF2BF89304F24816AD418A7256DB359D41CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753EEB8 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 499ab6060d7f42ba789b12164ff7fc94248bdab1c775872f7c78bc9738456583
                                                              • Instruction ID: d3331051558c078181c30658e7d0da6ca99d08a1f514a48478f21a744907d709
                                                              • Opcode Fuzzy Hash: 499ab6060d7f42ba789b12164ff7fc94248bdab1c775872f7c78bc9738456583
                                                              • Instruction Fuzzy Hash: 4A51FCB4E002198BDB14DFA9C5815EEFBF2BF89304F248169D418A7356DB359942CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0753324A Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84ad372bc463ee539ad9be92ea5e4b6f619b153785a4afb08d318d4ab0a248f2
                                                              • Instruction ID: faa186bdb0079ff9438ef8a656f4764fb0f59937bb5055c2a2555fb2216a5ede
                                                              • Opcode Fuzzy Hash: 84ad372bc463ee539ad9be92ea5e4b6f619b153785a4afb08d318d4ab0a248f2
                                                              • Instruction Fuzzy Hash: 434107B0E0560A9FCB04CFAAC4815EEFBB2BF89310F24D46AD415E7264D7359A45CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07533258 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b33cedecba96731f1d565590f3b39e90d9591820554d9a550e0de9fdc4a4bae1
                                                              • Instruction ID: fa66f293ca6eaf56d1f9a02a5216b761077a10ce7dd7f7b5cdfe255866d36f6f
                                                              • Opcode Fuzzy Hash: b33cedecba96731f1d565590f3b39e90d9591820554d9a550e0de9fdc4a4bae1
                                                              • Instruction Fuzzy Hash: 3A41D4B0E0560ADBDB48CFAAC4815EEFBF2BF89300F24D42AD415A7254D734AA418F94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07538218 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1812142170.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7530000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: T+-q$[V~*$[V~*$]\`
                                                              • API String ID: 0-1849991408
                                                              • Opcode ID: 3ff7cd3abd55c4a8e08a3c6cfa78efba2b67168cd03832b295d4bbacb1811c4c
                                                              • Instruction ID: 037a2f14486998932af7a13eb6f4d99e57e76b2694e9c9028d4e4a53dfd96fcb
                                                              • Opcode Fuzzy Hash: 3ff7cd3abd55c4a8e08a3c6cfa78efba2b67168cd03832b295d4bbacb1811c4c
                                                              • Instruction Fuzzy Hash: 39318FB0915609CBDB148FB8C8506FEBBB0FF06304F048927F4659B2A2D27AA955C776
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:10.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:17
                                                              Total number of Limit Nodes:4
                                                              execution_graph 23047 17e0848 23049 17e0849 23047->23049 23048 17e091b 23049->23048 23051 17e1383 23049->23051 23052 17e138a 23051->23052 23053 17e1488 23052->23053 23055 17e7eb8 23052->23055 23053->23049 23056 17e7ec2 23055->23056 23057 17e7edc 23056->23057 23060 6fafa50 23056->23060 23064 6fafa40 23056->23064 23057->23052 23061 6fafa65 23060->23061 23062 6fafc7a 23061->23062 23063 6fafc91 GlobalMemoryStatusEx 23061->23063 23062->23057 23063->23061 23066 6fafa50 23064->23066 23065 6fafc7a 23065->23057 23066->23065 23067 6fafc91 GlobalMemoryStatusEx 23066->23067 23067->23066

                                                              Executed Functions

                                                              Function 06FA3048 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 127 6fa3048-6fa3069 128 6fa306b-6fa306e 127->128 129 6fa380f-6fa3812 128->129 130 6fa3074-6fa3093 128->130 131 6fa3838-6fa383a 129->131 132 6fa3814-6fa3833 129->132 139 6fa30ac-6fa30b6 130->139 140 6fa3095-6fa3098 130->140 133 6fa383c 131->133 134 6fa3841-6fa3844 131->134 132->131 133->134 134->128 137 6fa384a-6fa3853 134->137 145 6fa30bc-6fa30cb 139->145 140->139 142 6fa309a-6fa30aa 140->142 142->145 253 6fa30cd call 6fa3868 145->253 254 6fa30cd call 6fa3861 145->254 146 6fa30d2-6fa30d7 147 6fa30d9-6fa30df 146->147 148 6fa30e4-6fa33c1 146->148 147->137 169 6fa3801-6fa380e 148->169 170 6fa33c7-6fa3476 148->170 179 6fa3478-6fa349d 170->179 180 6fa349f 170->180 181 6fa34a8-6fa34bb 179->181 180->181 184 6fa37e8-6fa37f4 181->184 185 6fa34c1-6fa34e3 181->185 184->170 186 6fa37fa 184->186 185->184 188 6fa34e9-6fa34f3 185->188 186->169 188->184 189 6fa34f9-6fa3504 188->189 189->184 190 6fa350a-6fa35e0 189->190 202 6fa35ee-6fa361e 190->202 203 6fa35e2-6fa35e4 190->203 207 6fa362c-6fa3638 202->207 208 6fa3620-6fa3622 202->208 203->202 209 6fa363a-6fa363e 207->209 210 6fa3698-6fa369c 207->210 208->207 209->210 213 6fa3640-6fa366a 209->213 211 6fa37d9-6fa37e2 210->211 212 6fa36a2-6fa36de 210->212 211->184 211->190 223 6fa36ec-6fa36fa 212->223 224 6fa36e0-6fa36e2 212->224 220 6fa3678-6fa3695 213->220 221 6fa366c-6fa366e 213->221 220->210 221->220 227 6fa36fc-6fa3707 223->227 228 6fa3711-6fa371c 223->228 224->223 227->228 233 6fa3709 227->233 231 6fa371e-6fa3724 228->231 232 6fa3734-6fa3745 228->232 234 6fa3728-6fa372a 231->234 235 6fa3726 231->235 237 6fa375d-6fa3769 232->237 238 6fa3747-6fa374d 232->238 233->228 234->232 235->232 242 6fa376b-6fa3771 237->242 243 6fa3781-6fa37d2 237->243 239 6fa374f 238->239 240 6fa3751-6fa3753 238->240 239->237 240->237 244 6fa3773 242->244 245 6fa3775-6fa3777 242->245 243->211 244->243 245->243 253->146 254->146
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                              • API String ID: 0-2392861976
                                                              • Opcode ID: 476640036daa580789266bdd69e469bb483a0a5cdcb132659d3795ea6efad6e2
                                                              • Instruction ID: 5cf7775851fc401ad08fc432e5a81593e7a345afc6d25bcaadd15c649d93cdae
                                                              • Opcode Fuzzy Hash: 476640036daa580789266bdd69e469bb483a0a5cdcb132659d3795ea6efad6e2
                                                              • Instruction Fuzzy Hash: E8322C71E1071ACFDB54DF75C85459DB7B6FF89300F2086AAD409AB264EB30A986CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA7D78 Relevance: 3.0, Strings: 2, Instructions: 477COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 795 6fa7d78-6fa7d96 796 6fa7d98-6fa7d9b 795->796 797 6fa7d9d-6fa7dab 796->797 798 6fa7db2-6fa7db5 796->798 807 6fa7e1e-6fa7e34 797->807 808 6fa7dad 797->808 799 6fa7dc2-6fa7dc5 798->799 800 6fa7db7-6fa7dc1 798->800 803 6fa7de6-6fa7de9 799->803 804 6fa7dc7-6fa7de1 799->804 805 6fa7deb-6fa7e07 803->805 806 6fa7e0c-6fa7e0e 803->806 804->803 805->806 809 6fa7e10 806->809 810 6fa7e15-6fa7e18 806->810 814 6fa7e3a-6fa7e43 807->814 815 6fa804f-6fa8059 807->815 808->798 809->810 810->796 810->807 818 6fa805a-6fa8064 814->818 819 6fa7e49-6fa7e66 814->819 822 6fa8066-6fa808f 818->822 823 6fa80b5 818->823 827 6fa803c-6fa8049 819->827 828 6fa7e6c-6fa7e94 819->828 825 6fa8091-6fa8094 822->825 826 6fa80b7-6fa80ba 823->826 825->826 829 6fa8096-6fa80b2 825->829 830 6fa80c0-6fa80cc 826->830 831 6fa8167-6fa816a 826->831 827->814 827->815 828->827 852 6fa7e9a-6fa7ea3 828->852 829->823 838 6fa80d7-6fa80d9 830->838 832 6fa839f-6fa83a1 831->832 833 6fa8170-6fa817f 831->833 835 6fa83a8-6fa83ab 832->835 836 6fa83a3 832->836 848 6fa819e-6fa81e2 833->848 849 6fa8181-6fa819c 833->849 835->825 839 6fa83b1-6fa83ba 835->839 836->835 841 6fa80db-6fa80e1 838->841 842 6fa80f1-6fa80f5 838->842 843 6fa80e3 841->843 844 6fa80e5-6fa80e7 841->844 845 6fa8103 842->845 846 6fa80f7-6fa8101 842->846 843->842 844->842 851 6fa8108-6fa810a 845->851 846->851 858 6fa81e8-6fa81f9 848->858 859 6fa8373-6fa8389 848->859 849->848 853 6fa810c-6fa810f 851->853 854 6fa8121-6fa815a 851->854 852->818 855 6fa7ea9-6fa7ec5 852->855 853->839 854->833 879 6fa815c-6fa8166 854->879 865 6fa802a-6fa8036 855->865 866 6fa7ecb-6fa7ef5 855->866 867 6fa835e-6fa836d 858->867 868 6fa81ff-6fa821c 858->868 859->832 865->827 865->852 881 6fa7efb-6fa7f23 866->881 882 6fa8020-6fa8025 866->882 867->858 867->859 868->867 880 6fa8222-6fa8318 call 6fa6598 868->880 931 6fa831a-6fa8324 880->931 932 6fa8326 880->932 881->882 888 6fa7f29-6fa7f57 881->888 882->865 888->882 894 6fa7f5d-6fa7f66 888->894 894->882 896 6fa7f6c-6fa7f9e 894->896 903 6fa7fa9-6fa7fc5 896->903 904 6fa7fa0-6fa7fa4 896->904 903->865 906 6fa7fc7-6fa801e call 6fa6598 903->906 904->882 905 6fa7fa6 904->905 905->903 906->865 933 6fa832b-6fa832d 931->933 932->933 933->867 934 6fa832f-6fa8334 933->934 935 6fa8342 934->935 936 6fa8336-6fa8340 934->936 937 6fa8347-6fa8349 935->937 936->937 937->867 938 6fa834b-6fa8357 937->938 938->867
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q
                                                              • API String ID: 0-355816377
                                                              • Opcode ID: 1beee47e7ca254dfa13fca2bbfaf35cbfde12f32230a57bec7c5a7dd457c5b18
                                                              • Instruction ID: ee5e372275a270602c0118f3cae2662e34375cce947dfeb7e872a6966e58fc8c
                                                              • Opcode Fuzzy Hash: 1beee47e7ca254dfa13fca2bbfaf35cbfde12f32230a57bec7c5a7dd457c5b18
                                                              • Instruction Fuzzy Hash: FA028A70F003059FDB54DB68D994AAEB7E2EF84344F148429D4199B394EBB5EC82CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA5598 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1338 6fa5598-6fa55b5 1339 6fa55b7-6fa55ba 1338->1339 1340 6fa55bc-6fa55c6 1339->1340 1341 6fa55d4-6fa55d7 1339->1341 1348 6fa55cd-6fa55cf 1340->1348 1342 6fa55d9-6fa55df 1341->1342 1343 6fa560f-6fa5612 1341->1343 1344 6fa576c-6fa579b 1342->1344 1345 6fa55e5-6fa55ed 1342->1345 1346 6fa561c-6fa561f 1343->1346 1347 6fa5614-6fa5617 1343->1347 1363 6fa57a5-6fa57a8 1344->1363 1345->1344 1349 6fa55f3-6fa5600 1345->1349 1350 6fa563c-6fa563f 1346->1350 1351 6fa5621-6fa5637 1346->1351 1347->1346 1348->1341 1349->1344 1352 6fa5606-6fa560a 1349->1352 1354 6fa5641-6fa5650 1350->1354 1355 6fa5655-6fa5658 1350->1355 1351->1350 1352->1343 1354->1355 1357 6fa565a-6fa5660 1355->1357 1358 6fa5667-6fa566a 1355->1358 1359 6fa56c2-6fa56c5 1357->1359 1360 6fa5662 1357->1360 1361 6fa568e-6fa5691 1358->1361 1362 6fa566c-6fa5689 1358->1362 1365 6fa56ca-6fa56cd 1359->1365 1360->1358 1366 6fa5698-6fa569b 1361->1366 1367 6fa5693-6fa5695 1361->1367 1362->1361 1368 6fa57ca-6fa57cd 1363->1368 1369 6fa57aa-6fa57ae 1363->1369 1370 6fa56cf-6fa56d5 1365->1370 1371 6fa56e0-6fa56e3 1365->1371 1366->1370 1375 6fa569d-6fa56a0 1366->1375 1367->1366 1372 6fa57ef-6fa57f2 1368->1372 1373 6fa57cf-6fa57d3 1368->1373 1376 6fa5896-6fa58d4 1369->1376 1377 6fa57b4-6fa57bc 1369->1377 1370->1340 1378 6fa56db 1370->1378 1380 6fa56f0-6fa56f3 1371->1380 1381 6fa56e5-6fa56e9 1371->1381 1382 6fa580a-6fa580d 1372->1382 1383 6fa57f4-6fa5805 1372->1383 1373->1376 1379 6fa57d9-6fa57e1 1373->1379 1384 6fa56ac-6fa56af 1375->1384 1385 6fa56a2-6fa56ab 1375->1385 1398 6fa58d6-6fa58d9 1376->1398 1377->1376 1386 6fa57c2-6fa57c5 1377->1386 1378->1371 1379->1376 1387 6fa57e7-6fa57ea 1379->1387 1391 6fa56fb-6fa56fe 1380->1391 1392 6fa56f5-6fa56f6 1380->1392 1388 6fa56eb 1381->1388 1389 6fa575e-6fa576b 1381->1389 1393 6fa582b-6fa582e 1382->1393 1394 6fa580f-6fa5813 1382->1394 1383->1382 1395 6fa56bd-6fa56c0 1384->1395 1396 6fa56b1-6fa56b8 1384->1396 1386->1368 1387->1372 1388->1380 1400 6fa571a-6fa571d 1391->1400 1401 6fa5700-6fa5715 1391->1401 1392->1391 1403 6fa583f-6fa5842 1393->1403 1404 6fa5830-6fa583a 1393->1404 1394->1376 1402 6fa5819-6fa5821 1394->1402 1395->1359 1395->1365 1396->1395 1405 6fa58df-6fa58e2 1398->1405 1406 6fa59c3-6fa5b57 1398->1406 1410 6fa571f-6fa5725 1400->1410 1411 6fa5730-6fa5733 1400->1411 1401->1400 1402->1376 1409 6fa5823-6fa5826 1402->1409 1407 6fa585c-6fa585f 1403->1407 1408 6fa5844-6fa5848 1403->1408 1404->1403 1405->1406 1414 6fa58e8-6fa58eb 1405->1414 1487 6fa5c8d-6fa5ca0 1406->1487 1488 6fa5b5d-6fa5b64 1406->1488 1416 6fa5869-6fa586c 1407->1416 1417 6fa5861-6fa5868 1407->1417 1408->1376 1415 6fa584a-6fa5852 1408->1415 1409->1393 1410->1342 1419 6fa572b 1410->1419 1412 6fa5747-6fa574a 1411->1412 1413 6fa5735-6fa5742 1411->1413 1412->1410 1424 6fa574c-6fa574e 1412->1424 1413->1412 1421 6fa58ed-6fa5900 1414->1421 1422 6fa5903-6fa5906 1414->1422 1415->1376 1423 6fa5854-6fa5857 1415->1423 1426 6fa586e-6fa5875 1416->1426 1427 6fa587c-6fa587e 1416->1427 1419->1411 1431 6fa5908-6fa5919 1422->1431 1432 6fa5920-6fa5923 1422->1432 1423->1407 1429 6fa5750 1424->1429 1430 6fa5755-6fa5758 1424->1430 1433 6fa588e-6fa5895 1426->1433 1434 6fa5877 1426->1434 1435 6fa5880 1427->1435 1436 6fa5885-6fa5888 1427->1436 1429->1430 1430->1339 1430->1389 1440 6fa5925-6fa592c 1431->1440 1446 6fa591b 1431->1446 1439 6fa5931-6fa5934 1432->1439 1432->1440 1434->1427 1435->1436 1436->1363 1436->1433 1442 6fa594e-6fa5951 1439->1442 1443 6fa5936-6fa5947 1439->1443 1440->1439 1444 6fa596b-6fa596e 1442->1444 1445 6fa5953-6fa5964 1442->1445 1443->1440 1451 6fa5949 1443->1451 1449 6fa597c-6fa597f 1444->1449 1450 6fa5970-6fa5977 1444->1450 1445->1421 1456 6fa5966 1445->1456 1446->1432 1453 6fa5999-6fa599c 1449->1453 1454 6fa5981-6fa5992 1449->1454 1450->1449 1451->1442 1457 6fa59ba-6fa59bd 1453->1457 1458 6fa599e-6fa59af 1453->1458 1454->1443 1465 6fa5994 1454->1465 1456->1444 1457->1406 1459 6fa5ca3-6fa5ca6 1457->1459 1458->1440 1467 6fa59b5 1458->1467 1463 6fa5ca8-6fa5cad 1459->1463 1464 6fa5cb0-6fa5cb2 1459->1464 1463->1464 1468 6fa5cb9-6fa5cbc 1464->1468 1469 6fa5cb4 1464->1469 1465->1453 1467->1457 1468->1398 1470 6fa5cc2-6fa5ccb 1468->1470 1469->1468 1489 6fa5b6a-6fa5b9d 1488->1489 1490 6fa5c18-6fa5c1f 1488->1490 1501 6fa5b9f 1489->1501 1502 6fa5ba2-6fa5be3 1489->1502 1490->1487 1491 6fa5c21-6fa5c54 1490->1491 1503 6fa5c59-6fa5c86 1491->1503 1504 6fa5c56 1491->1504 1501->1502 1512 6fa5bfb-6fa5c02 1502->1512 1513 6fa5be5-6fa5bf6 1502->1513 1503->1470 1504->1503 1515 6fa5c0a-6fa5c0c 1512->1515 1513->1470 1515->1470
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-3993045852
                                                              • Opcode ID: 4ed364d75ebe7099446a995e5b06da12fe741d580a17f831fec27858a06a2d8a
                                                              • Instruction ID: 8e6fbc95f902bc91dd6482c8409a9bf736e0ca515480f6de23597ce14d835c73
                                                              • Opcode Fuzzy Hash: 4ed364d75ebe7099446a995e5b06da12fe741d580a17f831fec27858a06a2d8a
                                                              • Instruction Fuzzy Hash: D222C1B5E003198FDF60DFA4C5846AEBBB2EF89320F248469D459AB344DA35DC45CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA65E8 Relevance: .8, Instructions: 822COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc84e3395e99c866f9479c28063134893c2cab9afebffb8758878aea6ab16b19
                                                              • Instruction ID: 1e0717777229c5a0f3073ef5bfadca1450cd3c3ffba82c4f5c0083ba2e02f64b
                                                              • Opcode Fuzzy Hash: fc84e3395e99c866f9479c28063134893c2cab9afebffb8758878aea6ab16b19
                                                              • Instruction Fuzzy Hash: 0962AC74F102049FDB54DB68D584AADB7F2EF88314F188469E40AEB394DB35EC86CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAC198 Relevance: .6, Instructions: 645COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ca05ef4e3c69727e1f2496fa854ccd5b6de1d6a83a89e20ee3b0d80e2c6ea43
                                                              • Instruction ID: 3e05b35ff2a1c58ceda8c830f74fdd057a83d25f0ca97adbae0e7b4ca43ffd52
                                                              • Opcode Fuzzy Hash: 3ca05ef4e3c69727e1f2496fa854ccd5b6de1d6a83a89e20ee3b0d80e2c6ea43
                                                              • Instruction Fuzzy Hash: 56328F74F102099FEB55DB68D990AAEB7F2FB88310F108525E405EB394DB35EC86CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAB230 Relevance: .6, Instructions: 572COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 575a962db8c99c6699adc35097a9788713be13faff9333f62703dfcb7b51d760
                                                              • Instruction ID: 12d62a6a7cda9805e3884743d466d55f0753d44ba3c9e0f4bb733023bf34d4ea
                                                              • Opcode Fuzzy Hash: 575a962db8c99c6699adc35097a9788713be13faff9333f62703dfcb7b51d760
                                                              • Instruction Fuzzy Hash: AB225FB0E102098FEF64CB6CC5847AEB7B6FB89310F248926D445DB395CA35DC82CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAACD8 Relevance: 10.4, Strings: 8, Instructions: 396COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 6faacd8-6faacf6 1 6faacf8-6faacfb 0->1 2 6faad0b-6faad0e 1->2 3 6faacfd-6faad06 1->3 4 6faad14-6faad17 2->4 5 6faaef5-6faaefe 2->5 3->2 6 6faad19-6faad2c 4->6 7 6faad31-6faad34 4->7 8 6faad36-6faad3f 5->8 9 6faaf04-6faaf0e 5->9 6->7 7->8 10 6faad4e-6faad51 7->10 11 6faaf0f-6faaf14 8->11 12 6faad45-6faad49 8->12 14 6faad62-6faad65 10->14 15 6faad53-6faad57 10->15 22 6faaf15-6faaf21 11->22 12->10 18 6faad79-6faad7c 14->18 19 6faad67-6faad74 14->19 15->9 17 6faad5d 15->17 17->14 20 6faad7e-6faad9a 18->20 21 6faad9f-6faada2 18->21 19->18 20->21 23 6faadac-6faadae 21->23 24 6faada4-6faada9 21->24 22->22 25 6faaf23-6faaf46 22->25 29 6faadb0 23->29 30 6faadb5-6faadb8 23->30 24->23 28 6faaf48-6faaf4b 25->28 31 6faaf58-6faaf5b 28->31 32 6faaf4d-6faaf57 28->32 29->30 30->1 33 6faadbe-6faade2 30->33 35 6faaf68-6faaf6b 31->35 36 6faaf5d-6faaf61 31->36 48 6faade8-6faadf7 33->48 49 6faaef2 33->49 40 6faaf7a-6faaf7d 35->40 41 6faaf6d call 6fab230 35->41 37 6faafa9-6faafe4 36->37 38 6faaf63 36->38 51 6faafea-6faaff6 37->51 52 6fab1d7-6fab1ea 37->52 38->35 42 6faaf7f-6faaf9b 40->42 43 6faafa0-6faafa3 40->43 44 6faaf73-6faaf75 41->44 42->43 43->37 45 6fab20c-6fab20e 43->45 44->40 53 6fab210 45->53 54 6fab215-6fab218 45->54 61 6faadf9-6faadff 48->61 62 6faae0f-6faae4a call 6fa6598 48->62 49->5 63 6faaff8-6fab011 51->63 64 6fab016-6fab05a 51->64 56 6fab1ec 52->56 53->54 54->28 55 6fab21e-6fab228 54->55 60 6fab1ed 56->60 60->60 65 6faae03-6faae05 61->65 66 6faae01 61->66 78 6faae4c-6faae52 62->78 79 6faae62-6faae79 62->79 63->56 80 6fab05c-6fab06e 64->80 81 6fab076-6fab0b5 64->81 65->62 66->62 82 6faae56-6faae58 78->82 83 6faae54 78->83 93 6faae7b-6faae81 79->93 94 6faae91-6faaea2 79->94 80->81 87 6fab0bb-6fab196 call 6fa6598 81->87 88 6fab19c-6fab1b1 81->88 82->79 83->79 87->88 88->52 96 6faae83 93->96 97 6faae85-6faae87 93->97 100 6faaeba-6faaeeb 94->100 101 6faaea4-6faaeaa 94->101 96->94 97->94 100->49 102 6faaeae-6faaeb0 101->102 103 6faaeac 101->103 102->100 103->100
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                              • API String ID: 0-3823777903
                                                              • Opcode ID: 34f436e802731cc59bc3d054f40325ade6ef71250e7a904cef017ba60b2d58be
                                                              • Instruction ID: 46dbedc34e2dbfe9ded45a46e5958d3f1b1803468da5a41c6aa830cb2b1cdcae
                                                              • Opcode Fuzzy Hash: 34f436e802731cc59bc3d054f40325ade6ef71250e7a904cef017ba60b2d58be
                                                              • Instruction Fuzzy Hash: 9AE14C70E1030A8FDB69DF69D9846AEB7B2FF88304F108529D409AB354DB75DC4ACB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAB658 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 255 6fab658-6fab67a 256 6fab67c-6fab67f 255->256 257 6fab681-6fab683 256->257 258 6fab686-6fab689 256->258 257->258 259 6fab68b-6fab694 258->259 260 6fab699-6fab69c 258->260 259->260 261 6fab6a9-6fab6ac 260->261 262 6fab69e-6fab6a4 260->262 263 6fab6ae-6fab6b7 261->263 264 6fab6c2-6fab6c5 261->264 262->261 265 6fab88b-6fab894 263->265 266 6fab6bd 263->266 267 6fab6dc-6fab6df 264->267 268 6fab6c7-6fab6ca 264->268 271 6fab89a-6fab8a1 265->271 272 6fab9fb-6faba36 265->272 266->264 269 6fab71e-6fab721 267->269 270 6fab6e1-6fab6f6 267->270 268->272 273 6fab6d0-6fab6d7 268->273 274 6fab72b-6fab72e 269->274 275 6fab723-6fab726 269->275 270->272 286 6fab6fc-6fab719 270->286 276 6fab8a6-6fab8a9 271->276 285 6faba38-6faba3b 272->285 273->267 278 6fab730-6fab734 274->278 279 6fab751-6fab754 274->279 275->274 280 6fab8ab-6fab8ae 276->280 281 6fab878-6fab87b 276->281 278->272 288 6fab73a-6fab74a 278->288 283 6fab768-6fab76b 279->283 284 6fab756-6fab75d 279->284 289 6fab8b0-6fab8bc 280->289 290 6fab8c1-6fab8c4 280->290 281->268 287 6fab881 281->287 295 6fab77b-6fab77e 283->295 296 6fab76d-6fab776 283->296 291 6fab763 284->291 292 6fab865-6fab86e 284->292 293 6faba41-6faba69 285->293 294 6fabca7-6fabcaa 285->294 286->269 297 6fab886-6fab889 287->297 318 6fab74c 288->318 319 6fab7a3-6fab7a7 288->319 289->290 298 6fab8d6-6fab8d9 290->298 299 6fab8c6 290->299 291->283 302 6fab873-6fab876 292->302 352 6faba6b-6faba6e 293->352 353 6faba73-6fabab7 293->353 300 6fabcac-6fabcc8 294->300 301 6fabccd-6fabccf 294->301 305 6fab788-6fab78b 295->305 306 6fab780-6fab785 295->306 296->295 297->265 297->276 303 6fab8db-6fab8df 298->303 304 6fab900-6fab903 298->304 310 6fab8ce-6fab8d1 299->310 300->301 313 6fabcd1 301->313 314 6fabcd6-6fabcd9 301->314 302->281 302->297 303->272 312 6fab8e5-6fab8f5 303->312 316 6fab91a-6fab91d 304->316 317 6fab905-6fab909 304->317 305->263 315 6fab791-6fab794 305->315 306->305 310->298 312->278 336 6fab8fb 312->336 313->314 314->285 321 6fabcdf-6fabce8 314->321 322 6fab79e-6fab7a1 315->322 323 6fab796-6fab799 315->323 326 6fab923-6fab926 316->326 327 6fab840-6fab841 316->327 317->272 324 6fab90f-6fab915 317->324 318->279 319->272 325 6fab7ad-6fab7bd 319->325 322->319 330 6fab7c8-6fab7cb 322->330 323->322 324->316 325->327 349 6fab7c3 325->349 326->327 331 6fab92c-6fab92f 326->331 332 6fab846-6fab849 327->332 333 6fab7cd-6fab7d1 330->333 334 6fab7e2-6fab7e5 330->334 338 6fab951-6fab954 331->338 339 6fab931-6fab94c 331->339 340 6fab84b-6fab84f 332->340 341 6fab860-6fab863 332->341 333->272 343 6fab7d7-6fab7dd 333->343 344 6fab7e7-6fab7f0 334->344 345 6fab7f5-6fab7f8 334->345 336->304 346 6fab956-6fab972 338->346 347 6fab977-6fab97a 338->347 339->338 340->272 342 6fab855-6fab85b 340->342 341->292 341->302 342->341 343->334 344->345 345->327 351 6fab7fa-6fab7fd 345->351 346->347 354 6fab9de-6fab9e0 347->354 355 6fab97c-6fab9d9 call 6fa6598 347->355 349->330 356 6fab83b-6fab83e 351->356 357 6fab7ff-6fab814 351->357 352->321 374 6fabc9c-6fabca6 353->374 375 6fababd-6fabac6 353->375 359 6fab9e2 354->359 360 6fab9e7-6fab9ea 354->360 355->354 356->327 356->332 357->272 368 6fab81a-6fab836 357->368 359->360 360->256 363 6fab9f0-6fab9fa 360->363 368->356 376 6fabacc-6fabb38 call 6fa6598 375->376 377 6fabc92-6fabc97 375->377 389 6fabb3e-6fabb43 376->389 390 6fabc32-6fabc47 376->390 377->374 392 6fabb5f 389->392 393 6fabb45-6fabb4b 389->393 390->377 394 6fabb61-6fabb67 392->394 395 6fabb4d-6fabb4f 393->395 396 6fabb51-6fabb53 393->396 397 6fabb69-6fabb6f 394->397 398 6fabb7c-6fabb89 394->398 399 6fabb5d 395->399 396->399 400 6fabc1d-6fabc2c 397->400 401 6fabb75 397->401 406 6fabb8b-6fabb91 398->406 407 6fabba1-6fabbae 398->407 399->394 400->389 400->390 401->398 402 6fabbb0-6fabbbd 401->402 403 6fabbe4-6fabbf1 401->403 412 6fabbbf-6fabbc5 402->412 413 6fabbd5-6fabbe2 402->413 414 6fabc09-6fabc16 403->414 415 6fabbf3-6fabbf9 403->415 409 6fabb93 406->409 410 6fabb95-6fabb97 406->410 407->400 409->407 410->407 417 6fabbc9-6fabbcb 412->417 418 6fabbc7 412->418 413->400 414->400 419 6fabbfb 415->419 420 6fabbfd-6fabbff 415->420 417->413 418->413 419->414 420->414
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                              • API String ID: 0-2392861976
                                                              • Opcode ID: 32368e3805035e64fecf15aba5b2ac91de6523ee13fe999f75f6141b183b4719
                                                              • Instruction ID: f9c9ede060545204f437115505ca4abcfe45ae276b4b1bb6a108e2935f1c5552
                                                              • Opcode Fuzzy Hash: 32368e3805035e64fecf15aba5b2ac91de6523ee13fe999f75f6141b183b4719
                                                              • Instruction Fuzzy Hash: 1B026BB0E1020A8FDFA4CF68D580AADB7B2FB85310F24856AD405EB355DB75DC86CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA9150 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 423 6fa9150-6fa9175 424 6fa9177-6fa917a 423->424 425 6fa9a38-6fa9a3b 424->425 426 6fa9180-6fa9195 424->426 427 6fa9a3d-6fa9a5c 425->427 428 6fa9a61-6fa9a63 425->428 433 6fa91ad-6fa91c3 426->433 434 6fa9197-6fa919d 426->434 427->428 430 6fa9a6a-6fa9a6d 428->430 431 6fa9a65 428->431 430->424 435 6fa9a73-6fa9a7d 430->435 431->430 440 6fa91ce-6fa91d0 433->440 436 6fa919f 434->436 437 6fa91a1-6fa91a3 434->437 436->433 437->433 441 6fa91e8-6fa9259 440->441 442 6fa91d2-6fa91d8 440->442 453 6fa925b-6fa927e 441->453 454 6fa9285-6fa92a1 441->454 443 6fa91da 442->443 444 6fa91dc-6fa91de 442->444 443->441 444->441 453->454 459 6fa92cd-6fa92e8 454->459 460 6fa92a3-6fa92c6 454->460 465 6fa92ea-6fa930c 459->465 466 6fa9313-6fa932e 459->466 460->459 465->466 471 6fa9353-6fa9361 466->471 472 6fa9330-6fa934c 466->472 473 6fa9363-6fa936c 471->473 474 6fa9371-6fa93eb 471->474 472->471 473->435 480 6fa9438-6fa944d 474->480 481 6fa93ed-6fa940b 474->481 480->425 485 6fa940d-6fa941c 481->485 486 6fa9427-6fa9436 481->486 485->486 486->480 486->481
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q$$^q
                                                              • API String ID: 0-2125118731
                                                              • Opcode ID: 8ad014484775402d9bf64d7b353bd43e84c04091229793723ecf391fbbe69862
                                                              • Instruction ID: 2a003ae8659fa31a86b220706805eb58a189804adb3ee30265605a9b9aa5a0bc
                                                              • Opcode Fuzzy Hash: 8ad014484775402d9bf64d7b353bd43e84c04091229793723ecf391fbbe69862
                                                              • Instruction Fuzzy Hash: D9913D70F2021A9FEB54DF65D9507AEB3F6EFC9204F108469C809EB344EE74AD468B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FACF58 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 489 6facf58-6facf73 490 6facf75-6facf78 489->490 491 6facf7a-6facfbc 490->491 492 6facfc1-6facfc4 490->492 491->492 493 6fad00d-6fad010 492->493 494 6facfc6-6fad008 492->494 496 6fad012-6fad02e 493->496 497 6fad033-6fad036 493->497 494->493 496->497 498 6fad038-6fad04e 497->498 499 6fad053-6fad056 497->499 498->499 502 6fad05c-6fad05f 499->502 503 6fad440-6fad44c 499->503 505 6fad06e-6fad071 502->505 506 6fad061-6fad063 502->506 507 6fad452-6fad73f 503->507 508 6fad1b0-6fad1bf 503->508 516 6fad07b-6fad07e 505->516 517 6fad073-6fad078 505->517 512 6fad069 506->512 513 6fad43d 506->513 701 6fad966-6fad970 507->701 702 6fad745-6fad74b 507->702 514 6fad1ce-6fad1da 508->514 515 6fad1c1-6fad1c6 508->515 512->505 513->503 521 6fad1e0-6fad1f2 514->521 522 6fad971-6fad9a6 514->522 515->514 523 6fad080-6fad0c2 516->523 524 6fad0c7-6fad0ca 516->524 517->516 543 6fad1f7-6fad1fa 521->543 542 6fad9a8-6fad9ab 522->542 523->524 526 6fad0cc-6fad10e 524->526 527 6fad113-6fad116 524->527 526->527 529 6fad118-6fad127 527->529 530 6fad15f-6fad162 527->530 536 6fad129-6fad12e 529->536 537 6fad136-6fad142 529->537 539 6fad1ab-6fad1ae 530->539 540 6fad164-6fad1a6 530->540 536->537 537->522 545 6fad148-6fad15a 537->545 539->508 539->543 540->539 547 6fad9ce-6fad9d1 542->547 548 6fad9ad-6fad9c9 542->548 549 6fad1fc-6fad23e 543->549 550 6fad243-6fad246 543->550 545->530 552 6fad9d3 call 6fadac5 547->552 553 6fad9e0-6fad9e3 547->553 548->547 549->550 555 6fad248-6fad28a 550->555 556 6fad28f-6fad292 550->556 572 6fad9d9-6fad9db 552->572 561 6fada16-6fada18 553->561 562 6fad9e5-6fada11 553->562 555->556 559 6fad29d-6fad2a0 556->559 560 6fad294-6fad296 556->560 569 6fad2e9-6fad2eb 559->569 570 6fad2a2-6fad2e4 559->570 567 6fad2fb-6fad304 560->567 568 6fad298 560->568 573 6fada1a 561->573 574 6fada1f-6fada22 561->574 562->561 583 6fad313-6fad31f 567->583 584 6fad306-6fad30b 567->584 568->559 580 6fad2ed 569->580 581 6fad2f2-6fad2f5 569->581 570->569 572->553 573->574 574->542 585 6fada24-6fada33 574->585 580->581 581->490 581->567 588 6fad430-6fad435 583->588 589 6fad325-6fad339 583->589 584->583 601 6fada9a-6fadaaf 585->601 602 6fada35-6fada98 call 6fa6598 585->602 588->513 589->513 607 6fad33f-6fad351 589->607 602->601 619 6fad353-6fad359 607->619 620 6fad375-6fad377 607->620 621 6fad35b 619->621 622 6fad35d-6fad369 619->622 626 6fad381-6fad38d 620->626 624 6fad36b-6fad373 621->624 622->624 624->626 634 6fad39b 626->634 635 6fad38f-6fad399 626->635 637 6fad3a0-6fad3a2 634->637 635->637 637->513 639 6fad3a8-6fad3c4 call 6fa6598 637->639 648 6fad3d3-6fad3df 639->648 649 6fad3c6-6fad3cb 639->649 648->588 651 6fad3e1-6fad42e 648->651 649->648 651->513 703 6fad75a-6fad763 702->703 704 6fad74d-6fad752 702->704 703->522 705 6fad769-6fad77c 703->705 704->703 707 6fad782-6fad788 705->707 708 6fad956-6fad960 705->708 709 6fad78a-6fad78f 707->709 710 6fad797-6fad7a0 707->710 708->701 708->702 709->710 710->522 711 6fad7a6-6fad7c7 710->711 714 6fad7c9-6fad7ce 711->714 715 6fad7d6-6fad7df 711->715 714->715 715->522 716 6fad7e5-6fad802 715->716 716->708 719 6fad808-6fad80e 716->719 719->522 720 6fad814-6fad82d 719->720 722 6fad949-6fad950 720->722 723 6fad833-6fad85a 720->723 722->708 722->719 723->522 726 6fad860-6fad86a 723->726 726->522 727 6fad870-6fad887 726->727 729 6fad889-6fad894 727->729 730 6fad896-6fad8b1 727->730 729->730 730->722 735 6fad8b7-6fad8d0 call 6fa6598 730->735 739 6fad8df-6fad8e8 735->739 740 6fad8d2-6fad8d7 735->740 739->522 741 6fad8ee-6fad942 739->741 740->739 741->722
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q
                                                              • API String ID: 0-831282457
                                                              • Opcode ID: aa5bd08bca1e432c641bb2a9fba49818a1dc111098ea9a73477f234d792e5803
                                                              • Instruction ID: 8e130c87adadccde3c04b47a6a0d9793c2e74d20ffdb60004ba7654f16e25cdc
                                                              • Opcode Fuzzy Hash: aa5bd08bca1e432c641bb2a9fba49818a1dc111098ea9a73477f234d792e5803
                                                              • Instruction Fuzzy Hash: 82624071A0030A8FDB55DB68D594A5DBBF2FF84304F108968D0099F769DB75EC8ACB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA4B58 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 749 6fa4b58-6fa4b7c 750 6fa4b7e-6fa4b81 749->750 751 6fa5260-6fa5263 750->751 752 6fa4b87-6fa4c7f 750->752 753 6fa5284-6fa5286 751->753 754 6fa5265-6fa527f 751->754 772 6fa4d02-6fa4d09 752->772 773 6fa4c85-6fa4cd2 call 6fa5408 752->773 756 6fa5288 753->756 757 6fa528d-6fa5290 753->757 754->753 756->757 757->750 759 6fa5296-6fa52a3 757->759 774 6fa4d0f-6fa4d7f 772->774 775 6fa4d8d-6fa4d96 772->775 786 6fa4cd8-6fa4cf4 773->786 792 6fa4d8a 774->792 793 6fa4d81 774->793 775->759 789 6fa4cff 786->789 790 6fa4cf6 786->790 789->772 790->789 792->775 793->792
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: fcq$XPcq$\Ocq
                                                              • API String ID: 0-3575482020
                                                              • Opcode ID: 3be1146e9541eb40598129c9bd4686bbc050c74547d38ffeeabe3b9471db9c84
                                                              • Instruction ID: d1aed5afcd841f88d3c9fcc42c5ca2c7c77f1aec18760fd88b8b6fa435e894ad
                                                              • Opcode Fuzzy Hash: 3be1146e9541eb40598129c9bd4686bbc050c74547d38ffeeabe3b9471db9c84
                                                              • Instruction Fuzzy Hash: AF616E71E002199FEF559FA8C8547AEBAF7FF88340F208429D10AAB395DB758C45CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA9141 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1270 6fa9141-6fa9175 1273 6fa9177-6fa917a 1270->1273 1274 6fa9a38-6fa9a3b 1273->1274 1275 6fa9180-6fa9195 1273->1275 1276 6fa9a3d-6fa9a5c 1274->1276 1277 6fa9a61-6fa9a63 1274->1277 1282 6fa91ad-6fa91c3 1275->1282 1283 6fa9197-6fa919d 1275->1283 1276->1277 1279 6fa9a6a-6fa9a6d 1277->1279 1280 6fa9a65 1277->1280 1279->1273 1284 6fa9a73-6fa9a7d 1279->1284 1280->1279 1289 6fa91ce-6fa91d0 1282->1289 1285 6fa919f 1283->1285 1286 6fa91a1-6fa91a3 1283->1286 1285->1282 1286->1282 1290 6fa91e8-6fa9259 1289->1290 1291 6fa91d2-6fa91d8 1289->1291 1302 6fa925b-6fa927e 1290->1302 1303 6fa9285-6fa92a1 1290->1303 1292 6fa91da 1291->1292 1293 6fa91dc-6fa91de 1291->1293 1292->1290 1293->1290 1302->1303 1308 6fa92cd-6fa92e8 1303->1308 1309 6fa92a3-6fa92c6 1303->1309 1314 6fa92ea-6fa930c 1308->1314 1315 6fa9313-6fa932e 1308->1315 1309->1308 1314->1315 1320 6fa9353-6fa9361 1315->1320 1321 6fa9330-6fa934c 1315->1321 1322 6fa9363-6fa936c 1320->1322 1323 6fa9371-6fa93eb 1320->1323 1321->1320 1322->1284 1329 6fa9438-6fa944d 1323->1329 1330 6fa93ed-6fa940b 1323->1330 1329->1274 1334 6fa940d-6fa941c 1330->1334 1335 6fa9427-6fa9436 1330->1335 1334->1335 1335->1329 1335->1330
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q
                                                              • API String ID: 0-355816377
                                                              • Opcode ID: a79b4198dd5ff806ca4df272e16cb22d2f189d2af8562940bc65415a0cb57139
                                                              • Instruction ID: 5bcfde0250af316fdee443376b7acddf9188b3b4af948dc38ad4e61e96cbc7e5
                                                              • Opcode Fuzzy Hash: a79b4198dd5ff806ca4df272e16cb22d2f189d2af8562940bc65415a0cb57139
                                                              • Instruction Fuzzy Hash: FE511E70F102059FEB54DB74D950BAEB3FAEFC8644F148469C409EB384EE74AC428B95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017EEB40 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1516 17eeb40-17eeb5b 1517 17eeb5d-17eeb84 1516->1517 1518 17eeb85-17eeba4 call 17ee2b8 1516->1518 1523 17eebaa-17eec09 1518->1523 1524 17eeba6-17eeba9 1518->1524 1531 17eec0f-17eec9c GlobalMemoryStatusEx 1523->1531 1532 17eec0b-17eec0e 1523->1532 1536 17eec9e-17eeca4 1531->1536 1537 17eeca5-17eeccd 1531->1537 1536->1537
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2995885964.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_17e0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4d3a88cee4fb8c6bd1b92f04c96137008ea06f3e4823b323fe9331c05fa326c1
                                                              • Instruction ID: 298b53fbdf5e5f5b0ced5092db386524088021af9882ef9c2a588171d0296020
                                                              • Opcode Fuzzy Hash: 4d3a88cee4fb8c6bd1b92f04c96137008ea06f3e4823b323fe9331c05fa326c1
                                                              • Instruction Fuzzy Hash: 8D414371D043999FCB14DF79D8046DEBFF5AF89310F14856AD908A7291EB349840CBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017EEC28 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1540 17eec28-17eec66 1541 17eec6e-17eec9c GlobalMemoryStatusEx 1540->1541 1542 17eec9e-17eeca4 1541->1542 1543 17eeca5-17eeccd 1541->1543 1542->1543
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 017EEC8F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2995885964.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_17e0000_Docs.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 8a24c9965820d64f985a2e0d8b36f924e8e431e0bfe38c37803558d2b5db0047
                                                              • Instruction ID: 3d3d74ec5ea1f0bc9aa3d4b7902a0baf0fafe6b57e00aae55c78594ad6397af3
                                                              • Opcode Fuzzy Hash: 8a24c9965820d64f985a2e0d8b36f924e8e431e0bfe38c37803558d2b5db0047
                                                              • Instruction Fuzzy Hash: 0D1120B1C006699FCB10DFAAC548BDEFBF4BF48320F11852AD818A7250D778A940CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA4B48 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XPcq
                                                              • API String ID: 0-714321711
                                                              • Opcode ID: 4a82b6640faed8c0196a85cddf99ff93c0746b3fbd72fbeeffacee728324fcf7
                                                              • Instruction ID: 99b6715158e438ca8890bff884590aa25be9cf78fe103bded2371a419a732645
                                                              • Opcode Fuzzy Hash: 4a82b6640faed8c0196a85cddf99ff93c0746b3fbd72fbeeffacee728324fcf7
                                                              • Instruction Fuzzy Hash: 86417D71E002099FDB459FA8C854B9EBBF7FF88700F20842AD105AB395DA748C05DB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FADAC5 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PH^q
                                                              • API String ID: 0-2549759414
                                                              • Opcode ID: b031ef8450560f59a1c64b5c5399e770b683ef97a93dc870ee1c0c516dd48710
                                                              • Instruction ID: 90ffb79bc36a11adbd4a8c979e7da5df5063ab45bde8628c2b846fd9e26d29ff
                                                              • Opcode Fuzzy Hash: b031ef8450560f59a1c64b5c5399e770b683ef97a93dc870ee1c0c516dd48710
                                                              • Instruction Fuzzy Hash: 2C41E2B0E003099FDF65DFA4C44469EBBB6FF85340F20492AE405EB240DB74D846CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA21C5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PH^q
                                                              • API String ID: 0-2549759414
                                                              • Opcode ID: 8db20c1e74590b048ca2fe329479ba545fcc1b2f39f681d9a12987257a94d2dc
                                                              • Instruction ID: 65132f2184f0c4765e273e64b532b18a4b092dda14a89f07ed9e8b1dcd147d43
                                                              • Opcode Fuzzy Hash: 8db20c1e74590b048ca2fe329479ba545fcc1b2f39f681d9a12987257a94d2dc
                                                              • Instruction Fuzzy Hash: 9231DE70F103018FEB5A9F74D51466EBAE3AF89200F288428D406DB384EF35DE46CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA21D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PH^q
                                                              • API String ID: 0-2549759414
                                                              • Opcode ID: 10118210653f9ff5229a221e97f05ec9d7cdefbe132eb77fa2db17b45bdcac27
                                                              • Instruction ID: 4f84a192b663e2180a77d6d3b35b4b62aec6b74eab7757a8ee8cc3c3f2b3f257
                                                              • Opcode Fuzzy Hash: 10118210653f9ff5229a221e97f05ec9d7cdefbe132eb77fa2db17b45bdcac27
                                                              • Instruction Fuzzy Hash: 9431DE70B103018FEB599F78D51466EBBE3AF89200F248428D406DB384EF35DE46CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA2350 Relevance: 1.0, Instructions: 1013COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89573b200770b34775dc2b29801371f42ade1729880f326a7d992aea527de9ec
                                                              • Instruction ID: 636dd20913fccc8e8dde832c7d84b9a4f34ff8d3b4a6d5dad95c50fcee0349fb
                                                              • Opcode Fuzzy Hash: 89573b200770b34775dc2b29801371f42ade1729880f326a7d992aea527de9ec
                                                              • Instruction Fuzzy Hash: EF923574F003048FDB64CB68C584A5DBBF2FB49314F5984A9E849AB365DB35EE85CB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA61E0 Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4fda493842464823f80964e6335d7b823a1b08388f4d1140e34a10d1bad9e652
                                                              • Instruction ID: fc0eb4e9c5d2d65608671e01040a7fb6645829db5dde0c90c96074532859d372
                                                              • Opcode Fuzzy Hash: 4fda493842464823f80964e6335d7b823a1b08388f4d1140e34a10d1bad9e652
                                                              • Instruction Fuzzy Hash: 0161BFB1F001114FDF549A7EC88466FAAD7EFC4624B29443AD80EDB364DEA6DD0287C2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA4288 Relevance: .2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 624fbb9a1b5e8b99e5f85bd626805666c951d9eb6ee3652718f2b61929f9fa21
                                                              • Instruction ID: 49ac7f038eaad40f6a97ebef80d404d0223a8b980c93db203dbf162b6c27beab
                                                              • Opcode Fuzzy Hash: 624fbb9a1b5e8b99e5f85bd626805666c951d9eb6ee3652718f2b61929f9fa21
                                                              • Instruction Fuzzy Hash: 28813B74F102099FDF54DFA8D4946AEB7F6AF89304F148429D40AEB394EB74EC428B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA45A8 Relevance: .2, Instructions: 220COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65c94836a662abe9d33e4e5ac2eb4ba16faa9cbc215a58f34b7ca996e53424d7
                                                              • Instruction ID: 093a4f2c069259e362674497661170a08337e171198baae35706a239ed822b55
                                                              • Opcode Fuzzy Hash: 65c94836a662abe9d33e4e5ac2eb4ba16faa9cbc215a58f34b7ca996e53424d7
                                                              • Instruction Fuzzy Hash: F5913C74E102198FDF60DF68C890B9DB7B1FF89300F208699D549AB395DB70AA85CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA45C0 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0bb79d7931d0371bd796f2960feb9058b19cc0194b9a2dce05671e35737169ac
                                                              • Instruction ID: 6a7d0b1a940d07a98e2dc58006da72170a2475d766acb047a63156bc12242aa8
                                                              • Opcode Fuzzy Hash: 0bb79d7931d0371bd796f2960feb9058b19cc0194b9a2dce05671e35737169ac
                                                              • Instruction Fuzzy Hash: 60912D74E102198BDF60DF68C890B9DF7B1FF89300F208699D549AB355EB70AA85CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAEB18 Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 524f5fac4386ba184c7f5ad21ccf290ad9197940def8da9748b1859e8bdd835e
                                                              • Instruction ID: 536219580ea300579750c5b209a65e3b0c6ca4bbd7c17910811b9bade5db151e
                                                              • Opcode Fuzzy Hash: 524f5fac4386ba184c7f5ad21ccf290ad9197940def8da9748b1859e8bdd835e
                                                              • Instruction Fuzzy Hash: 94710771A002099FDB54DBA9D994A9EBBF6FF88300F148529E409EB354DB30E846CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAEB28 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17306b18cafbe5f4a0c73a223b908d74b2745390d5ee6359922366c3f0d7440d
                                                              • Instruction ID: a014a9f119f899d868f89642343f51fe2791c11d67a5c916af649ef3f5242bab
                                                              • Opcode Fuzzy Hash: 17306b18cafbe5f4a0c73a223b908d74b2745390d5ee6359922366c3f0d7440d
                                                              • Instruction Fuzzy Hash: 5D710770A002099FDB54DBA9D994A9EBBF6FF88300F248529D409EB358DB30EC46CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAFC91 Relevance: .2, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b27fe41362bd87f0bdca3e17a7a9c6430fbaa742dd6b3d43be0312b3bddb0421
                                                              • Instruction ID: f16ec7f49b2c786fc72aa23f7c84799000edd350f912518dc2e2cde7397ac969
                                                              • Opcode Fuzzy Hash: b27fe41362bd87f0bdca3e17a7a9c6430fbaa742dd6b3d43be0312b3bddb0421
                                                              • Instruction Fuzzy Hash: B351E3B1E022099FDF65EB78E4946ADBBB3FF84315F108879E106DB250DB358846CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAFA40 Relevance: .2, Instructions: 172COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8794d764410b656e013ad704c2062bb05909d857843d1044f2d1979b031a1674
                                                              • Instruction ID: d657d5de033116eef6910a864efcc05a51aa4e97e56bc7fcfa464e404d1aaa55
                                                              • Opcode Fuzzy Hash: 8794d764410b656e013ad704c2062bb05909d857843d1044f2d1979b031a1674
                                                              • Instruction Fuzzy Hash: B351C5B0F113059FFF64566CD8A476F366ED789750F20492AE40ADB3E4C969CC8583E2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAFA50 Relevance: .2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c5dffc5759c52b3d942f129f93a4a80849776d7976bffa65fe76ee07e93259f
                                                              • Instruction ID: fa0c97ec4b120860b81fb75ed66d941ea4cf396db86bc32b341685c346dc5ce0
                                                              • Opcode Fuzzy Hash: 9c5dffc5759c52b3d942f129f93a4a80849776d7976bffa65fe76ee07e93259f
                                                              • Instruction Fuzzy Hash: 4F51D5B0F103059FFFA4566CD8A476F266FD789750F204929E40ADB3E4C969CC8583A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA5408 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ca495120f0ab184955641f51e2266b188e203c8a199c5f8fc6f839b8f79d227
                                                              • Instruction ID: 0764a4d6107837dc1437734dff990b5c78bd1694448d14353bcf65d03aeeda33
                                                              • Opcode Fuzzy Hash: 5ca495120f0ab184955641f51e2266b188e203c8a199c5f8fc6f839b8f79d227
                                                              • Instruction Fuzzy Hash: 554148B1E007098FDF60CFADD880AAEFBB6FB84314F10492AE156D7654D330E9598B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA2088 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8be597b19684a619ed2b5801d4917843de129c65bef13e6f5b44198ded033e05
                                                              • Instruction ID: 6de4a2a56241a157d4aab33649f0ab31eaea125d014da7caf62f7e911413635f
                                                              • Opcode Fuzzy Hash: 8be597b19684a619ed2b5801d4917843de129c65bef13e6f5b44198ded033e05
                                                              • Instruction Fuzzy Hash: 6F319074F102099FDB58CFA4D8546AEB7B2EF89340F18C919E916EB340DB71AD42CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA5588 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c57a5cff18abf01a9af0422ab6e05d7d4896ee6cc50e5aedc3a945a9fc38394e
                                                              • Instruction ID: a08092852d7a8fd2a6669d81060158ef7b645134dd927a00a88db8d4c89cafb4
                                                              • Opcode Fuzzy Hash: c57a5cff18abf01a9af0422ab6e05d7d4896ee6cc50e5aedc3a945a9fc38394e
                                                              • Instruction Fuzzy Hash: 613190B5E003058FDF64CF69C8C0A6EFBB2EB46310F15886AE55ADB752C634E840CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA2098 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d77f295ffe7d6324c16069df1640f31c29075b2c526db8e3f82b8a1762a36a2b
                                                              • Instruction ID: 25ef34f851fca58399d6f3a6bbe605a534c787420d4f5b8af388a53028d1ca50
                                                              • Opcode Fuzzy Hash: d77f295ffe7d6324c16069df1640f31c29075b2c526db8e3f82b8a1762a36a2b
                                                              • Instruction Fuzzy Hash: DC315E70F102099BCB59CFA4D8546AEB7B2FF89300F148929E916EB350DB71ED82CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA3A88 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72cdf5a1c1a223e1eb10cd5c1474613e5a3d32d71da6d4de4386d86a584a5f17
                                                              • Instruction ID: 4f358d1e979a915f151e30c62e4ff211ac0ae7fbb182a0b195bfb6fa1477f5d5
                                                              • Opcode Fuzzy Hash: 72cdf5a1c1a223e1eb10cd5c1474613e5a3d32d71da6d4de4386d86a584a5f17
                                                              • Instruction Fuzzy Hash: 9B216BB6E102159FEB50DF69D840AEEBBF5EF48750F108029E909E7380E734DD428B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA3A98 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e41fec497fc5b17a4e81b7da26341e794f0d039d1d5e0cbbb83520f7154c992f
                                                              • Instruction ID: 3654d397fcba9e649a5306fb3f64954aa5a6d7540a136dc9f24961f7a9bab3ee
                                                              • Opcode Fuzzy Hash: e41fec497fc5b17a4e81b7da26341e794f0d039d1d5e0cbbb83520f7154c992f
                                                              • Instruction Fuzzy Hash: 0A217CB6E106159FEB50CF69D880AAEBBF6EB48650F108169E905E7380E734DD018B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178D044 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2992442590.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_178d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be11f11a323691d7f865e66a9781dd3e1c4df6edb6d229a9e650b34c2a6a01c9
                                                              • Instruction ID: 2fef6f8e41a654edbf1b30012f45d59720e7012b7c4e8886bf27de56813e080b
                                                              • Opcode Fuzzy Hash: be11f11a323691d7f865e66a9781dd3e1c4df6edb6d229a9e650b34c2a6a01c9
                                                              • Instruction Fuzzy Hash: AF210771584204DFDB25EF58C9C4B26FB65FB84314F20C5ADE9494B292C736D447CA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA3BA8 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0ed7020fe12dc8d603b601ad9dd8fb706662ca7ff8c39f20bd4b27facfef3cd
                                                              • Instruction ID: 9db22580ed1f13770e64c90f2294a5bb8ceaa67a0a3f0dd418cf6281ea118bbe
                                                              • Opcode Fuzzy Hash: e0ed7020fe12dc8d603b601ad9dd8fb706662ca7ff8c39f20bd4b27facfef3cd
                                                              • Instruction Fuzzy Hash: 5411A132F102285FDF949678CC146AE73EBEBC8254F004539D50AE7340DE65DC028BD2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA41E9 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c2ca937e446001a9f8ffae8f461c21f0564da83fb3b06c2ff6e90aaa46ad783
                                                              • Instruction ID: bd6631843134d83f1e9308dd5bffe7a80cbcb2951f8c8345fd5a3fa4c64d2803
                                                              • Opcode Fuzzy Hash: 4c2ca937e446001a9f8ffae8f461c21f0564da83fb3b06c2ff6e90aaa46ad783
                                                              • Instruction Fuzzy Hash: CE012B30F042101FDB61D5BDA81476BA7DBDBCA720F14843AE10ECB355DEA5CC464795
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAED99 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 618cceea5e5901f598e6a2b9a5dd6b50b2d4899b0b47b0055eacb40dd747b356
                                                              • Instruction ID: 55ef76494b4ef753c13bb82f7fe0f805752a451b851d3b60da1aba1ee3051c53
                                                              • Opcode Fuzzy Hash: 618cceea5e5901f598e6a2b9a5dd6b50b2d4899b0b47b0055eacb40dd747b356
                                                              • Instruction Fuzzy Hash: EB01F771F042142FDB65957DE850B6FB7EBDBCA610F148439E50AC7340DA65DC0287D2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA3861 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15e2c4d96bc5c56c3f823a5b97d4655da9b56508a64781ce88c8f8dc6c34d0e2
                                                              • Instruction ID: 7d0563f6aed5eb29aec37dea6978905a2af9e31d8aa77785f10ac70c8d8e46f5
                                                              • Opcode Fuzzy Hash: 15e2c4d96bc5c56c3f823a5b97d4655da9b56508a64781ce88c8f8dc6c34d0e2
                                                              • Instruction Fuzzy Hash: C121C4B5D01259EFCB10DF9AD885ADEFBB8FB48310F10812AE918A7240C375A954CFE5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAA308 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63c6e61eb68330a2650c6b5136dda28efa3d1a55bdd05dae826ca819a823ca23
                                                              • Instruction ID: 3ca786a3fe3ae504fd643d24dadda19c31fea8e88d9d238774ee6e56ff866ea7
                                                              • Opcode Fuzzy Hash: 63c6e61eb68330a2650c6b5136dda28efa3d1a55bdd05dae826ca819a823ca23
                                                              • Instruction Fuzzy Hash: 4001F774F003101FD761D63CE851B6F77E6EB8A650F108469E14ACB345DA16DC06C7D1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178D03F Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2992442590.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_178d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                              • Instruction ID: 2dfd170fe987589aed59ba4e346c960aaf9cee4cd15972f295fc703efbba69c3
                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                              • Instruction Fuzzy Hash: 6711DD75544284CFDB22DF54C9C4B16FFA2FB84314F24C6AAD8494B292C33AD44ACF62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA3B97 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58f02200e0bcedb7c0a5b4ec51726911b258019346f63995d923b858960e8b2
                                                              • Instruction ID: d50b54c09382285b86b1301761997a171e367c4201dd6e6c92c2dd90abfb708e
                                                              • Opcode Fuzzy Hash: c58f02200e0bcedb7c0a5b4ec51726911b258019346f63995d923b858960e8b2
                                                              • Instruction Fuzzy Hash: 1E012432F101241FDB94C579EC20AEF32ABDFC8244F04403AD40AE7280EE648C0687D2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA3868 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc4125903a4a07342deed9ede09047da3cf1c0eefe9cf8b7574b3b6348e17e9d
                                                              • Instruction ID: 21f5812b4d54336f30a1d20c6dd1159164b8d6a92b1ae17fbfae3d3524ed7ac7
                                                              • Opcode Fuzzy Hash: dc4125903a4a07342deed9ede09047da3cf1c0eefe9cf8b7574b3b6348e17e9d
                                                              • Instruction Fuzzy Hash: 7811B4B5D01259DFCB00DF9AD885ADEFFB4FB48314F10812AE518A7240D375A554CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA41F8 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15e1d0d3178be21d95756a8e196a1a70f1c94a22dbaceb6d0e7d9d8bdaa6577c
                                                              • Instruction ID: 6aef1a9a9648df6d80de54e43dcf2903c3f03760334dfe964bca8ad493be2479
                                                              • Opcode Fuzzy Hash: 15e1d0d3178be21d95756a8e196a1a70f1c94a22dbaceb6d0e7d9d8bdaa6577c
                                                              • Instruction Fuzzy Hash: 5701D131F002141BDBA4D9AEA40472BB3DBDBCA720F208439E20EC7354DEA5DC424795
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAEDA8 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f6b37989c9740aeb57cbce794db29153d70723079d3acb25188b952be61d584
                                                              • Instruction ID: 8588064a9ece4d8d8c7749e317efc876d8b98faec329b348fb7e2fe7a0e56fe1
                                                              • Opcode Fuzzy Hash: 7f6b37989c9740aeb57cbce794db29153d70723079d3acb25188b952be61d584
                                                              • Instruction Fuzzy Hash: FE01DC35F002102BCB64AA6DA494B2EA2DBDBC9620F108839E10EC7340EE65DC0287D1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAA318 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 279259d403baf67a933a1ec9d265f0df63256126668f31b998badb9ca350315c
                                                              • Instruction ID: 735a993d7e7a49f4bbaf57868067193e893b4a1c7b5493aa89e4d71f6c7a0aa0
                                                              • Opcode Fuzzy Hash: 279259d403baf67a933a1ec9d265f0df63256126668f31b998badb9ca350315c
                                                              • Instruction Fuzzy Hash: 87018174F103141FDB61D66CE85172EB3E6EB8A650F108438E10AC7344EA26DC068781
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA6469 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fda838198e34289a59e871f97b5248ca2588ffb00666ab34be95bab8d4f9c0c9
                                                              • Instruction ID: 6d9f4991df9c6c4637d5c5f5c4e53e8c7a4f1dc12346c5c3daa5a76d50dcd603
                                                              • Opcode Fuzzy Hash: fda838198e34289a59e871f97b5248ca2588ffb00666ab34be95bab8d4f9c0c9
                                                              • Instruction Fuzzy Hash: 5BE092F2E153086BDF60CE60DD2579A7B5EE702204F2488A1DC04C7182E276D9008791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 06FA7698 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                              • API String ID: 0-2222239885
                                                              • Opcode ID: 2ffdc605970a5ff01758969a5e8e3aa02eb73ab400f419680cc3713f2208e1b5
                                                              • Instruction ID: e90042edc68285d0a6f44260900405c3b89af5dab48b62430a51990870efe391
                                                              • Opcode Fuzzy Hash: 2ffdc605970a5ff01758969a5e8e3aa02eb73ab400f419680cc3713f2208e1b5
                                                              • Instruction Fuzzy Hash: C2120B74E002198FDB68EF65C954A9EB7F2FF88704F208569D409AB364DB319D86CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAA940 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                              • API String ID: 0-3823777903
                                                              • Opcode ID: 622d78467d294025a9addc84523808f1ffba799759c9f7acd802c49c79471bd4
                                                              • Instruction ID: 1316b466e6c6f6ca7e96e8cef5d32ac772252d9b9c412cfbdd5a3f51373bb723
                                                              • Opcode Fuzzy Hash: 622d78467d294025a9addc84523808f1ffba799759c9f7acd802c49c79471bd4
                                                              • Instruction Fuzzy Hash: D4912AB0E10309DFEB68DF64DA58B6EB7F6EF88300F108529E4059B294DB759D49CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA7098 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                              • API String ID: 0-390881366
                                                              • Opcode ID: 49d8298d233cc7ca9a2ffe1884536865004e10f6e44b5bda95c6f918de4d27b0
                                                              • Instruction ID: 43523d9ae0aa19ca9cac4fc9b359870dabdd00fe67dbb25f32c8d40ca5cdb587
                                                              • Opcode Fuzzy Hash: 49d8298d233cc7ca9a2ffe1884536865004e10f6e44b5bda95c6f918de4d27b0
                                                              • Instruction Fuzzy Hash: 67F11B74B10209CFDB59EB68C598A5EBBF6FF88300F208568D4059B368DB75DC46CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA83D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q$$^q
                                                              • API String ID: 0-2125118731
                                                              • Opcode ID: 41da63c5ef4957a162e5567d98f085747c771e03c10647153c46aeb975f95a84
                                                              • Instruction ID: c01d60b4f4d80be7b4ec802d640774f0dd9d3119234d2dd66522cb86896a8110
                                                              • Opcode Fuzzy Hash: 41da63c5ef4957a162e5567d98f085747c771e03c10647153c46aeb975f95a84
                                                              • Instruction Fuzzy Hash: E9B11870F102098FDB58DB68D58469EBBF6FF88344F248829D4169B358DBB5DC86CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FAACC8 Relevance: 5.2, Strings: 4, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $^q$$^q$$^q$$^q
                                                              • API String ID: 0-2125118731
                                                              • Opcode ID: cc6bc3669e861e0331de7745852821373ef664178e0dceda2c7c46996fbddffe
                                                              • Instruction ID: d9d7a8fb0465239a16f838566884edc70bd84fafacf2d77e4d62232bb4f99775
                                                              • Opcode Fuzzy Hash: cc6bc3669e861e0331de7745852821373ef664178e0dceda2c7c46996fbddffe
                                                              • Instruction Fuzzy Hash: 33518E70E103059FDFA5DB68D9846AEB7F2EB88301F14856AE406DB354DB34EC4ACB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06FA87E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3013331695.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6fa0000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR^q$LR^q$$^q$$^q
                                                              • API String ID: 0-2454687669
                                                              • Opcode ID: 193ae69d41d3f7097eb2aec13fc15c45792b7da2736fd751c1a852bf7174a8af
                                                              • Instruction ID: efebf84e546767d921c12b0a450dffa780466e566a1eff7d35d60567a3263605
                                                              • Opcode Fuzzy Hash: 193ae69d41d3f7097eb2aec13fc15c45792b7da2736fd751c1a852bf7174a8af
                                                              • Instruction Fuzzy Hash: 6551CF71F003058FDB58DB78D944A6AB7E2FF88740F108568E4169B3A8DEB0EC45CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%